THREAT ACTOR

Black Basta

5
THREAT LEVEL
EMERGENCE DATE
Apr 2022
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Operational overlaps with Conti and BlackMatter, with infrastructure and operational similarities suggesting shared resources or lineage. Leaked communications confirmed direct personnel connections to Conti Team 2, with key members operating simultaneously across multiple ransomware operations including BlackSuit and Royal.

DEscription

Black Basta emerged in April 2022 as an advanced Ransomware-as-a-Service (RaaS) operation employing double extortion tactics through file encryption and data exfiltration. Targeting healthcare, finance, and manufacturing sectors, the group executed numerous attacks across North America, Europe, and Australia using a closed affiliate model with stringent operational protocols. February 2025 leaked internal communications revealed the group's sophisticated operational structure, including call centers, victim research capabilities, and connections to disbanded Conti operations.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

The group operated as a RaaS provider, with infrastructure overseeing encryption processes and ransom negotiations while vetted affiliates deployed payloads within targeted networks. Technical analysis revealed the platform utilized a customized LockBit variant adapted for specific operational requirements, with clear lineage to the disbanded Conti operation.

February 2025 leaked internal communications exposed 197,000 chat messages from 80 chatrooms, revealing operational structures, Moscow-based offices, call center operations, and internal discord that contributed to reduced activity levels. The leak confirmed Russian-speaking membership with connections to high-level Russian officials providing law enforcement protection.

Current Status: Activity levels declined substantially in 2025, with the group attacking 165 organizations in 2022 but only 8 recorded victims in 2025. Chat leaks revealed operational discord and affiliate confidence issues contributing to reduced effectiveness. (Threat levels reflect their low and diminished activity level.)

Threat Level:
5

Origins and Methodology

Expertise drawn from established ransomware operations enabled rapid market penetration through a structured affiliate model. Cross-platform capabilities spanning Windows, Linux, and VMware ESXi environments demonstrated advanced development utilizing C++ for efficient code execution. Continuous refinement of techniques incorporated emerging vulnerabilities and evasion methods throughout the operational period.

Leaked communications revealed the group's polished operational approach with sophisticated victim research, coordinated phishing and malware campaigns, and dedicated support including call services, malware development, initial access brokers, crypters, and penetration testing teams.

What is the Evolution of Black Basta Ransomware?
0.1
Formation

Operational rigor and infrastructure complexity indicated experienced developers with backgrounds in prominent ransomware groups. Development evidence traced to February 2022, preceding public emergence by two months. Chat leaks confirmed the group maintained Moscow offices where developers, malware operators, and network intruders operated under senior management oversight.

0.2
EVOLUTION

Encryption capabilities progressed from initial ChaCha20 with RSA-4096 to advanced variants incorporating XChaCha20 and elliptical curve cryptography. Platform expansions enabled targeting of ESXi hypervisors and Linux servers alongside traditional Windows environments. Internal communications revealed operational evolution driven by affiliate feedback and victim payment analytics.

0.3
Lineage/Connections

Technical connections manifested through shared infrastructure with Conti and BlackMatter operations, including overlapping C2 servers and similar encryption implementations. Chat leaks confirmed direct personnel overlap with Conti Team 2, with negotiator "tinker" acknowledging previous Conti roles and concurrent work as a Royal/BlackSuit negotiator. Key members maintained operational connections across multiple ransomware enterprises.

Which Unique Techniques Does Black Basta Use?

The group distinguishes itself through multi-platform targeting capabilities and refined operational security measures.

TECHNIQUE

DETAILS

Infection Vectors

Primary access leverages CVE-2024-1709 exploitation in ConnectWise ScreenConnect, RDP misconfigurations, and refined social engineering incorporating Microsoft Teams impersonation with voice phishing follow-ups. The group actively purchases compromised VPN credentials from Initial Access Brokers, utilizing T1190 external remote service exploitation and T1566 spear-phishing campaigns.

Target Selection

High-value sectors with operational dependencies and regulatory requirements remain primary targets across North America, Europe, and Australia. Geographic concentration reflects strategic focus on organizations within jurisdictions with established data protection regulations.

Operational Complexity

Multi-stage campaigns utilize custom malware tools for lateral movement and persistence while evading EDR solutions. The group exhibits advanced capabilities through multi-threaded encryption, BYOVD attacks to disable security tools, and refined privilege escalation techniques.

Key Features & Technical Details

Advanced encryption standards combine stream cipher technology with asymmetric encryption, securing files against unauthorized decryption attempts.

FEATURE

DETAILS

Encryption Method

ChaCha20 and RSA algorithms with XChaCha20 variants incorporating ECC. Files receive .basta extensions while vssadmin.exe deletes shadow copies.

File Extension

.basta

Ransom Note

readme.txt containing unique victim identifier and Tor site access instructions

Double Extortion

Rclone and custom utilities exfiltrate sensitive data before encryption deployment

Communication Channels

Tor-based negotiations utilize unique victim identifiers for operational security

Deployment Speed

24-hour encryption timeline following initial access

Payment Method

Bitcoin with occasional Monero acceptance

Operational Model

Closed RaaS model with vetted affiliate access

Activities

Black Basta targeted organizations across North America, Europe, and Australia, focusing on healthcare, financial services, and manufacturing sectors. The group attacked at least 165 organizations in 2022 but experienced significant operational decline to only 8 recorded victims in 2025. Chat message analysis revealed calculated victim selection based on regulatory exposure and operational criticality.

Which Industries Are Most Vulnerable to Black Basta?

Healthcare organizations faced heightened targeting due to patient safety implications and regulatory compliance requirements that amplified extortion leverage. Financial institutions attracted focus through their critical infrastructure status and regulatory oversight pressures. Manufacturing sectors experienced targeting through supply chain dependencies and operational continuity concerns.

Geographic focus spanned North America, Europe, and Australia, with victim selection driven by jurisdictional regulatory frameworks and payment capability assessments revealed in leaked communications.

HAL Most Recent Attacks

Modus Operandi

Disciplined execution follows MITRE ATT&CK framework techniques across all operational phases:

Details

T1190 exploitation of CVE-2024-1709, T1078 valid account compromise via RDP, T1566 spear-phishing campaigns targeting enterprise environments.

Details

T1087 account discovery using AdFind, T1482 domain trust mapping with BloodHound, network scanning via SoftPerfect network scanner.

Details

T1219 remote access through AnyDesk, Atera, NetSupport, ScreenConnect, Splashtop for persistent control.

Details

T1562 impair defenses using Backstab, T1197 BITSAdmin for stealthy downloads, BYOVD techniques disabling security solutions.

Details

T1003 Mimikatz deployment for LSASS dumping and credential harvesting across domain environments.

Details

The group established C2 infrastructure through compromised web servers and cloud services, implementing HTTPS encryption for communication channels. Internal operations utilized Matrix servers across six domains for operational coordination. Key members employed multiple Tor layers, VPN connections, and disk encryption for operational security, though communication security ultimately failed with the February 2025 leak.

Details

T1021 remote services through PsExec and RDP propagation across network segments.

Details

T1048 exfiltration over C2 channel using Rclone to cloud storage providers before encryption deployment.

Details

Registry modifications under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe maintaining access.

Details

T1490 inhibit system recovery, operational disruption through encryption of critical systems and backup infrastructure.

Details

T1486 data encryption with ChaCha20/RSA-4096 algorithms targeting business-critical files and databases.

Details

Operations included dedicated call centers managed by senior members, with specialized negotiation teams handling victim communications. The group maintained sophisticated victim research capabilities to maximize pressure during ransom negotiations. Chat leaks revealed systematic approaches to victim psychology and regulatory compliance fears used to amplify extortion effectiveness.

Details

T1070 indicator removal through log deletion and vssadmin.exe shadow copy destruction preventing recovery.

Indicators of Compromise (IOCs)

Key indicators help identify operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns.

INDICATOR

DETAILS

File Hashes

SHA256: Windows and Linux ransomware variants (specific hashes vary by version)
MD5: Customized rclone.exe variants for data exfiltration

IP Addresses

66.249.66.18 (infrastructure node), 207.126.152.242 (backup infrastructure), 185.220.101.149 (Tor exit node), 5.181.159.48 (BackConnect infrastructure)

Domains/URLs

trailshop[.]net (Cobalt Strike infrastructure), realbumblebee[.]net (initial access infrastructure)

File Paths

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe (persistence mechanism)

File Extensions

.basta

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

ConnectWise ScreenConnect

CVE-2024-1709

9.8

Authentication bypass enabling RCE

Windows Error Reporting

CVE-2022-26169

7.8

LPE through WER service manipulation

ZeroLogon

CVE-2020-1472

10.0

Netlogon protocol flaw enabling DC compromise

PrintNightmare

CVE-2021-34527

8.8

Print Spooler service LPE/RCE

sAMAccountName spoofing

CVE-2021-42278

7.5

Kerberos PAC bypass for privilege escalation

KrbRelayUp

CVE-2021-42287

7.5

KDC impersonation through S4U2self abuse

CitrixBleed

CVE-2023-4966

9.4

NetScaler ADC/Gateway buffer overflow


Additional vectors include RDP misconfigurations, weak VPN implementations, and inadequate MFA deployment across Active Directory environments.