Black Basta ransomware gang hit BT Group

BT Group (formerly British Telecom)’s Conferencing division shut down some of its servers following a Black Basta ransomware attack.

British multinational telecommunications holding company BT Group (formerly British Telecom) announced it has shut down some of its servers following a Black Basta ransomware attack.

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated,” a company spokesman told BleepingComputer.

BT Group operates in 180 countries, the company leads in UK fixed-line, broadband, mobile, TV, and IT services. The attack did not impact live BT Conferencing services.

“The impacted servers do not support live BT Conferencing services, which remain fully operational, and no other BT Group or customer services have been affected,” a spokesperson told Recorded Future News.

“We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,”

At this time, it is unclear if threat actors have stolen data from the telecommunications giant.

The Black Basta ransomware gang added BT Group to the list of victims on its Tor leak site. The group claimed to have stolen 500GB of data including Finacial data, Organisation data, Users data and personal documents, NDA’s, Confidential data, and more.

BT Group

As proof of the data breach, the group published multiple screenshots, including pictures of passports and other documents.

In May, the FBI, CISA, HHS, and MS-ISAC issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.

Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.

Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.

“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.

In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)