Westlake Village, CA: BankCard USA surrenders and pays ransom 1

Westlake Village, CA: BankCard USA surrenders and pays ransom

Another victim, yet another, who decides to pay the ransom demanded by a ransomware group, Black Basta adds another $50,000 in bitcoins to his already over-million dollar account.

A negotiation that went on for over a month during which Black Basta is a negotiator of the Californian company BankCard USA (BUSA), a provider of end-to-end electronic payment products and services that offers its services to more than 100,000 American companies, they agreed to pay a ransom of $50,000 in bitcoins. Money in exchange for not disclosing company data that the ransomware group exfiltrated during last June’s cyberattack.

During the negotiation, the BUSA negotiator asks for confirmation on the real amount of data stolen from the company’s servers, Black Basta confirms that he is in possession of over 200 GB of sensitive and financial data not yet made public

Hello We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We’ve downloaded over 200GB of a sensitive information and data from your network […]

Black Basta also provides the trader with the URL of their currently secret blog page. Not only the description of the company, but also a series of financial, judicial documents and above all the copies of 4 passports as proof:

  • 2 Canadian citizens
  • 1 US citizen
  • 1 Hong Kong citizen
Westlake Village, CA: BankCard USA surrenders and pays ransom 2
Screenshot and redaction by SuspectFile.com

Below are some documents uploaded to a hidden page of Black Basta blog, the page was deleted after ransom payment

Westlake Village, CA: BankCard USA surrenders and pays ransom 3
Screenshot and redaction by SuspectFile.com
Westlake Village, CA: BankCard USA surrenders and pays ransom 4
Screenshot and redaction by SuspectFile.com

BUSA sends a message in the negotiation chat, wants to understand if what Black Basta said corresponds to reality asking for further proof, after a few minutes the ransomware group publishes in the chat the link to download the tree of files in its possession, 34506 directories and 401356 files

Westlake Village, CA: BankCard USA surrenders and pays ransom 5
Screenshot and redaction by SuspectFile.com

After a few days of waiting the BUSA negotiator requests the decryption of some documents and publishes a list of 6 file names

  • Energy Savers – [EDITED].pdf
  • [EDITED] Expenes January 2015.xls
  • [EDITED].com Periodic Review – Dec 2020.pdf
  • [EDITED] 2018 Ad Layout AgeChecker.png
  • Agent Agreement [EDITED].doc
  • 2023 Equip Pricing 2-1-23.xlsx

On July 3, the ransomware group provides the BUSA negotiator with the 6 decrypted files

Westlake Village, CA: BankCard USA surrenders and pays ransom 6
Screenshot and redaction by SuspectFile.com

On the night of July 6, the negotiator writes

Hello – After speaking with my higher ups, they are concerned about the amount you are asking. We do not have half of a million dollars in available funding. Would you be able to work with us on the price?

Black Basta’s answer comes after three hours

If you pay within 48 hours, we are ready to give you a 15% discount. Fast payment, big discount. Btc wallet: bc1qx[EDITED]

BUSA is determined to pay to prevent financial documents and sensitive data from being made public, but offers Black Basta a ten times lower price

Hello – After speaking with my boss and the higher up’s as they reviewed the available funding. They are wanting to offer you $42,500 to resolve this issue.
Black Basta is probably aware that he cannot get figures close to 500k dollars and sets the ransom price ten times lower
$50,000 is a good price for you. We are waiting for payment. a purse for payment: bc1qx[EDITED]
the BUSA negotiator lists a series of guarantees that Black Basta will have to comply with.
Some requests listed by the BUSA negotiator make us smile, precisely because they could be rejected by Black Just a second after making the ransom payment.
Among other things, point 3 “No publication of any kind”, is proof that Black Basta lied. If we are writing this article it is precisely because both the name of the BankCard USA and some financial documents and passports have been public for over a month.
1) Decryptor for all your Windows machines;
2) Non recoverable removal of all downloaded data from our side with deletion log
3) No publication of any kind
4) No selling of our data
5) No giving our data away
6) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.
7) guarantee BlackBasta will not attack our company again.
On the evening of July 25, BUSA sends 0.00001BTC to a new Black Basta wallet as a test, the first payment is successful
https://mempool.space/tx/f9[EDITED]
the balance of the payment is sent on July 26th
https://mempool.space/tx/61[EDITED]

 

Westlake Village, CA: BankCard USA surrenders and pays ransom 7
Screenshot and redaction by SuspectFile.com
Westlake Village, CA: BankCard USA surrenders and pays ransom 8
Screenshot and redaction by SuspectFile.com

At this point Black Basta loads the log file into the chat regarding the deletion of files exfiltrated from the servers of BankCard USA

Westlake Village, CA: BankCard USA surrenders and pays ransom 9
Screenshot and redaction by SuspectFile.com

The negotiator asks when BUSA will be able to get both the security report and the decrypter from Black Basta, these are the answers of the ransomware group

Security report and recommendation: Your network has been compromised by mailing of messages to the emails with malicious attachments. One of the users launched malware. To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.
We’ll send the decryption tools very soon.

A security report both in form and substance that we have seen repeated with other victims.
Paying in the hope that your name, your data will never be brought to light is mere utopia. SuspectFile.com had access to the chat from day one and we certainly had hundreds of other people who were able to follow the evolution of the negotiation live.
BankCard USAย is nothing more than one of the latest victims to fall into the network of a group of cybercriminals whose main objective is to monetize their work, at any cost and by any means.

At this point we ask ourselves some questions: were the thousands of files that were (still are?) in the hands of Black Basta for over a month really deleted?
Has BankCard USA notified its customers, employees and the state of California of the massive loss of sensitive data?
Or do they think it’s enough to give in to blackmail and pay cybercriminals to hide all this?

SuspectFile.com will update the article in case of new items.