Black Basta, Cactus Ransomware Actors Evolve Tactics Amid Surge in Spam-Fueled Attacks

Covering incident response (IR) trends for the first quarter of 2025, Cisco Talos reveals shifts in initial access, a continued rise in ransomware activity, and persistent security gaps. "Threat actors used phishing to achieve initial access in 50 percent of engagements, a notable increase from less than 10 percent last quarter. Vishing was the most common type of phishing attack seen, accounting for over 60 percent of all phishing engagements, though we also observed malicious attachment, malicious link and business email compromise (BEC) attacks," reports Cisco Talos. Within phishing, vishing was the most common method. Cisco Talos also highlights a concerning trend in which phishing campaigns increasingly aimed at capturing not just credentials but also multi-factor authentication (MFA) session tokens. Meanwhile, ransomware and pre-ransomware incidents collectively made up over half of the engagements tracked, rising from nearly 30% in the previous quarter. Construction and manufacturing sectors were involved in roughly 60% of ransomware events, while the most impacted verticals overall for the quarter were manufacturing, healthcare, retail, and construction.

Cisco Talos reported a prominent attack chain involving actors leveraging spam floods to manufacture technical issues as a cover for social engineering attacks. Usage of this technique is corroborated by Black Basta chat leaks and campaigns in October 2024, when operators were distributing DarkGate malware. After flooding inboxes with benign spam, adversaries contacted users via Microsoft Teams, prompting them to initiate Microsoft Quick Assist sessions. Once remote access was established, attackers conducted reconnaissance, established persistence through the creation of a TitanPlus registry key, and modified system defenses using the “net.exe” utility. Privilege escalation and lateral movement quickly followed, culminating in the deployment of Black Basta ransomware. Following public exposure, threat actors adapted by pivoting to Cactus ransomware, demonstrating agility in their tactics, techniques, and procedures (TTPs). Cisco Talos warns this adaptability suggests attackers will likely continue refining their methods to evade detection. In addition, the emergence of Crytox ransomware during engagements points to the continued expansion of ransomware threats, with Crytox actors leveraging HRSword to disable endpoint detection and response (EDR) protections.

Cisco Talos stresses that early engagement and rapid identification of known attacker TTPs were pivotal in thwarting many ransomware incidents before encryption could occur. Notable defensive successes stemmed from recognizing warning signs such as floods of spam email, unauthorized remote access attempts, and suspicious file executions. Specific TTPs included disabling the Volume Shadow Copy Service (VSS) and deploying vulnerable drivers through local accounts. Cisco Talos also noted that a significant portion of compromises originated from weaknesses in MFA implementation, including misconfiguration and the absence of monitoring for MFA bypass attempts. These observations reinforce the urgent need for organizations to strengthen MFA enforcement, monitor for the addition of unauthorized MFA devices, and educate users to better recognize and respond to social engineering attacks.

Among the most critical recommendations from Cisco Talos for improving defenses are properly configuring and enforcing MFA across all critical services, supporting user education efforts to counter phishing and vishing attacks, and protecting endpoint security solutions from tampering. Approximately half of engagements observed this quarter involved social engineering as a contributing factor, pointing to a need for continuous user training programs.