A negotiation that lasted a few days was enough for the group of cybercriminals Black Basta to pocket a ransom of $300k, the initial amount requested by the ransomware group was $600k.
The American company KFI Engineers, with its headquarters in St. Paul in the state of Minnesota, finally decided to come to terms with its extortionists; more money that enters the coffers of a group of cybercriminals, more money that will allow Black Basta to finance his group and his illegal actions.
KFI Engineers is a privately held process and plant infrastructure design and performance company with 7 other branches in 6 states (Arizona, Kentucky, Iowa, Ohio, North Dakota, Wisconsin), including customers numerous educational institutions, hospitals, government, food and fuel companies
- ALEXANDRIA HIGH SCHOOL – Alexandria, MN
- BALDINGER BAKERY – St. Paul, MN
- CINCINNATI CHILDREN’S HOSPITAL MEDICAL CENTER CRITICAL CARE TOWER – Cincinnati, OH
- COLLEGE OF ST. BENEDICT – St. Joseph, MN
- COMMONWEALTH OF KENTUCKY TRANSPORTATION CABINET OFFICE BUILDING – Frankfort, KY
- DAKOTA SPIRIT ETHANOL PLANT – Spiritwood, ND
- INDIANA UNIVERSITY HEALTH MEDICAL CENTER – Indianapolis, IN
- IOWA STATE UNIVERSITY BIOSCIENCES FACILITY – Ames, IA
- MAYO CLINIC INTEGRATED EDUCATION AND RESEARCH – Phoenix, AZ
- MINNEAPOLIS CITY HALL & HENNEPIN COUNTY COURTHOUSE – Minneapolis, MN
- NAVY FEDERAL CREDIT UNION – Pensacola, FL
- NORTH DAKOTA STATE UNIVERSITY – Fargo, ND
- NORTH MEMORIAL MEDICAL CENTER – Robbinsdale, MN
- NORTHEAST METRO QUORA EDUCATION CENTER – Little Canada, MN
- NORTHERN ARIZONA UNIVERSITY – Flagstaff, AZ
- PARK NICOLLET HEALTH – Twin Cities, MN
- ROSEVILLE SCHOOLS – Roseville, MN
- SCHEELS NEW STORE – Lincoln, NE
- ST. CLOUD ORTHOPEDIC CENTER – St. Cloud, MN
- THE CHRIST HOSPITAL JOINT AND SPINE CENTER – Cincinnati, OH
- RUSH HUDSON LIMBAUGH SR. U.S. COURTHOUSE – Cape Giradeau, MO
- WARREN E. BURGER FEDERAL BUILDING AND U.S. COURTHOUSE – St. Paul, MN
- UNIVERSITY OF LOUISVILLE CLINICAL AND TRANSLATIONAL RESEARCH BUILDING – Louisville, KY
- UNIVERSITY OF NOTRE DAME – South Bend, IN
- UNIVERSITY OF WISCONSIN – LaCrosse, WI
- WACONIA HIGH SCHOOL – Waconia, MN
- WACONIA LAKETOWN ELEMENTARY – Waconia, MN
- WADENA-DEER CREEK HIGH SCHOOL – Wadena, MN
During the negotiation on the ransom price the KFI negotiator asks the cybercriminals for a decryptor for their encrypted data, Black Basta replies that there is a price to pay to get back 1.1Tb of exfiltrated data from their servers with the guarantee that all data on Windows and Esxi machines will be decrypted
We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We’ve downloaded over 1.1Tb of a sensitive information and data from your network.
Check your page in our blog. Right now we’re keeping it secret. However, if we don’t come to an agreement within 10 days, it’ll be posted on our news board. We will let everyone who wants to connect to your network and get all the necessary data from your. Decryption price is $600,000. In case of successful negotiations we guarantee you will get:
1) Decryptor for all your Windows and Esxi machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.
Hope you can correctly assess the risks for your company.
In the evening the KFI negotiator responds
Ok let me get with my team, be back soon
Negotiations resume and KFI offers Black Basta the payment at a ten times smaller amount, the ransomware group declines the offer re-proposing the initial one of $600k
hello your initial demand is bold, but this is way much for what we will pay for a decryptor. I was thinking more $60,000 for what I need a decryptor for.
You can think what you want, but our price is $600k.
The chat between the two continues with a succession of counter-offers from the American company’s negotiator and Black Basta’s repeated refusal, until KFI offers $295k to close the deal. The group asks for time by reappearing in the chat after about an hour and sets the ransom price at $300k, also indicating the BTC wallet into which to pay the sum, it was an empty BTC wallet and not yet used by Black Basta. The KFI negotiator accepts the price.
If we can be around $295K lets get this deal done this week
We will discuss this. We will give the answer very soon$300k and we conclude a deal. We accept the payment in the bitcoin cryptocurrency. Our wallet is bc[REDACTED]30
OK lets make that agreement
KFI sends a message in the chat listing the steps that must be respected by both before being able to move on to the payment phase
I agree to pay $300,000 to BTC wallet bc[REDACTED]30 in exchange for a decryptor that will restore all my data and provide tech support if the decryptor does not work as claimed by you. You also delete all the data your stole from me and provide proof if possible. You will also not reattack us and tell us how you accessed our network so we can close that holeDo you agree?
Black Basta accepts the conditions
Yes, agree.
It will be a few days before $300k reaches the cybercriminals. On February 11, a few days after the agreement, 13.86681596 BTC were transferred from KFI to Black Basta’s account. After two hours the group of cybercriminals will empty the BTC wallet by sending the largest part (10.86676800 BTC = 235,189.45 USD) to another wallet (bc[REDACTED]5l) and then empty it too by sending virtual money to two other wallets
bc[REDACTED]sf 4.14938316 BTC = 89,805.10 USD
bc[REDACTED]wl 6.71682754 BTC = 145,372.30 USD
This latest BTC wallet caught our attention, but more on that later.
After paying the ransom, Black Basta uploaded in the chat the two decryptors for the windows and linux machines infected by the ransomware, the procedures for their use and the tree of exfiltrated files they claimed to have deleted.
The remove_KFIENG.txt file (497289 lines of text) contains the list of deleted documents, file names attributable to confidential e-mail messages, scans of documents in .PDF format, calculation files with names of people who have worked or collaborated at KFI Engineers
…/Summary Sheets/Terminated Employees/C[Edited], G[Edited].xls
…/Summary Sheets/Terminated Employees/G[Edited], J[Edited].xls
[…]
a lot of documentation of the entities for which the KFI has entered into agreements for the renovation, maintenance or construction works
- removed ‘/home/ftp_white/KFIENG/ProjectsVol2/2022/22-0036.00 – SDSP Greenfield Plant FEL2 Preliminary E/Drawings/Plot Files/Gar/Working File/22.04.20 Utility Bldg and Extraction GA’s/22-0036 – GAR-4100 Rev A.pdf’
- removed directory ‘/home/ftp_white/KFIENG/ProjectsVol2/2021/21-0034.00 – Park Nicollet Clinic Sites Facility Cond/Photos/3900 Building Clinic St. Louis Park/2021-02-09/Med Gas Room’
- removed ‘/home/ftp_white/KFIENG/HumanResources/DISABILITY INSURANCE WITH NORTHWESTERN/Tag [REDACTED] Claim Information/9-22-16 Email from [REDACTED] transmitting Tag’s Info to Group Benefits.pdf’
- removed ‘/home/ftp_white/KFIENG/Clients/California Schools/Filter_Info/Palm Springs/DSMS/04-108970 Portables/ROOF DETAILS_v1_0.jpg’
- removed ‘/home/ftp_white/KFIENG/HumanResources/BOARD OF DIRECTORS/[REDACTED]‘ Resignation Letter.doc’
They declared that they had managed to enter the corporate IT network through a phishing email that contained an infected attachment, then they listed which prevention and security procedures KFI had to adopt in the future
Security report and recommendation: Your network has been compromised by mailing of messages to the emails with malicious attachments. One of the users launched malware. To avoid this in the future, give you recommendations of network protection:1. Use sandbox to analyze the contents of letters and their attachments.2. Use the password security policies3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.6. Block kerberoasting attacks7. Conduct full penetrations tests and audit8. Use and update Anti-virus/anti-malware and malicious traffic detection software9. Configure group policies, disable the default administrators accounts, create new accounts.10. Backups. You must have offline backups, does not have access to the network.
Before the publication of this article, we contacted KFI Engineers via email, asking for their statement on the matter. To date, SuspectFile.com has not received a response from the Minnesota firm.
As we anticipated, during our research we were intrigued by a BTC Black Basta wallet in particular, the bc[REDACTED]wl account where the largest part of the ransom paid by KFI had been paid.
We have discovered some interesting things that should make it clear once again, where there is still a need, that paying a ransom to groups of cybercriminals not only does not give any certainty as to the actual destruction or reuse of the stolen data, but also gives money to the ransomware group on duty only fuels cybercrime.
Regarding that BTC wallet we discovered that three days later, on February 14, the same account received two more transactions in its favor, one of 4.50187633 BTC = 98,158.91 USD and a second one of 27.65000000 BTC = 603,184.75 USD, finding that as of the date of As of February 14, more than 840,000.00 USD had passed through that account
We then opened the list of all past transactions for that wallet (10 in total of which 2 outgoing) bc[REDACTED]as discovering that the wallet was already open on January 17, 2023 and that 900.08000000 BTC had been deposited on the same day = 19,032,192.00 USD
The account remained at a standstill until February 6 when the same amount was sent to two other wallets, about 850 BTC to the first and 50 BTC to the second, but what is impressive is the amount of the total amount in the account bc[ REDACTED]as were deposited, a whopping 1,591.73534383 BTC = 34,120,235.35 USD.
There is currently over $7.1M in the account after 1,300.08 BTC over $29.5M was transferred to other wallets.
From these figures we can therefore realize how high the volume of business revolves around this world of extortionists and why paying a ransom is never the right thing to do.
From the research carried out by SuspectFile, it would appear that in December 2021 KFI Engineers suffered another cyber attack, the BlackByte ransomware group entering the IT systems of the Minnesota company.
Note added on February 21, 2023 at 1:31 pm
The news is reported by the website Breachsense https://www.breachsense.io/breaches/kfi-eng-com/
Through an email we sent a confirmation request to BlackByte, we will update the article in case of news on the case.