The Black Basta ransomware gang has attacked Metro AG, the German multinational business and the parent company of global wholesaler Metro Cash & Carry. The company’s name was listed as a victim on the Back Basta leak site.
No details of the data accessed or ransom demanded have been given. Metro AG is yet to make an announcement confirming or denying the incident. According to market estimates, Metro AG is the fourth-largest retailer in the world by revenue, with around 680 stores in 24 countries in Europe and Asia as of 2020.
Too big to miss
Following the Russian invasion of Ukraine in February, many Western businesses shut shop in Russia. Contrary to that, Metro AG has been criticized for being sluggish in disclosing any divestitures or reductions in its activities in Russia. Government representatives from Ukraine demanded that the corporation be boycotted worldwide.
Retail was the second-most targeted industry by ransomware last year of all sectors, after media, leisure and entertainment sectors, said a report on ransomware attacks prepared by cybersecurity company Sophos. More than 75% of global retailers surveyed for the report were compromised by ransomware in 2021, according to the report.
The security vendor polled 422 retail respondents in mid-sized organizations (100-5000 employees) across 31 countries to compile its report.
The FIN7 connection
“First seen in July 2021, BlackMatter is a ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims,” said CISA alert on the ransomware.
“BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021.”
According to a report by security researchers at Sentinel Labs, new evidence claims that the Black Basta ransomware gang has collaborated with financially motivated hacking group FIN7 AKA “Carbanak.”
The researchers discovered evidence that a developer for FIN7 also created the EDR (Endpoint Detection and Response) evasion tools utilized exclusively by Black Basta since June 2022. Moreover, the researcher found more evidence linking the two threat actors, including IP addresses and TTP (tactics, techniques, and procedures) used by the latter in early 2022 and was employed by Black Basta a few months later.
BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.