On May 7, ABB was the victim of a cyber attack carried out by the cybercriminal organization Black Basta(Black Basta) ransomware gang. The ransomware attack is understood to have affected ABB's Windows Active Directory, affecting hundreds of devices.
The attack reportedly disrupted the company's operations, delayed projects and affected factories. In response to the attack, ABB terminated VPN connections with customers to prevent the ransomware from spreading to other networks.
After first refusing to comment on the cyber attack, ABB sent BleepingComputer the following statement.
In a statement to BleepingComputer said:
"ABB recently detected an IT security incident that directly affected certain locations and systems,"
"To address the situation, ABB has taken and will continue to take steps to contain the incident. The controls have caused some disruption to its operations, which the company is addressing. The vast majority of its systems and plants are now operational and ABB will continue to serve its customers in a safe manner."
"ABB will continue to work with its customers and partners to resolve this issue and minimize its impact."
The Black Basta ransomware gang launched its ransomware as a Service (RaaS) operation in April 2022 and quickly began focusing on corporate victims in dual ransomware attacks.
By June 2022, Black Basta had cooperated with Operation QakBot Malware, which dropped Cobalt Strikes on infected devices. Black Basta will then use Cobalt Strike to access the corporate network for the first time and scale out horizontally to other devices.
Like other businesses targeting ransomware operations, Black Basta created a Linux encryptor to target VMware ESXi virtual machines running on Linux servers.
The researchers also linked the ransomware gang to the FIN7 hacking group, a financially motivated cybercrime ring also known as Carbanak. Since its launch, threat participants have been responsible for a number of attacks, including against the American Dental Association, Sobeys, Knauf and Canada Yellow Pages. Ransomware has hit Capita, the UK's largest outsourcing company, and started leaking stolen data.