Summary:
The Blackbasta ransomware gang has listed Atlas to its data leak list, one of the largest national distributors of fuel to 49 continental US States with over 1 billion gallons per year. Based on the listing, the actors claimed to have stolen 730GB of data from the oil giant, including corporate, department, user, and employee data. As proof of the breach, the ransomware gang has posted sample screenshots of the data stolen which looks like ID cards, data sheets, payroll payment requesters, as well as a folder exfiltrated from a targeted system.

Security Officer Comments:
Blackbasta has added a timer on the listing to specify the amount of time that Atlas has to contact the actors and pay the ransom demanded. The oil company has yet to release an official notice so it’s unclear if the claims are true. The full extent of the alleged stolen data is expected to be released once the timer runs out, which is in approximately 5 days as of writing.

Suggested Corrections:
The development comes after CISA released an advisory on Blackbasta, noting that the group has impacted over 500 organizations globally as of May 2024, which range of businesses and critical infrastructure entities in North America, Europe, and Australia. The latest attack against Atlas indicates a continuation of Blackbasta efforts to go after critical infrastructure, highlighting the need for organizations to remain vigilant and secure their defenses accordingly. CISA’s advisory contains a handful of pertinent TTPS, IOCs, and best practices that organizations can defer to defend against Blackbasta infections. In general, CISA recommends installing updates for operating systems, software, and firmware as soon as they are released, implementing MFA for the various services in use, and training users on the different types of attack vectors such as phishing which can be used to gain initial access.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a

Link(s):
https://securityaffairs.com/163489/cyber-crime/blackbasta-claims-atlas-hack.html