Black Basta Ransomware Group
| Actor Type | Criminal Group |
|---|
Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. It quickly became one of the most active RaaS threat actors globally, targeting organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand with highly targeted attacks.
Black Basta employs a double extortion tactic - encrypting critical data and vital servers, before threatening to publish sensitive information on their public leak site. The group’s core membership may have originated from the defunct Conti threat actor group, evidenced by similarities in malware development, leak sites, and communication strategies.
Their attack arsenal includes tools like QakBot and exploits such as PrintNightmare. In early campaigns, they used spear-phishing for initial access and advertised buying corporate network access. Their second-stage tactics involve acquiring Windows Domain credentials, lateral movement within networks, data theft, and ransomware deployment. They use Cobalt Strike and SystemBC for command and control, followed by Rclone for data exfiltration.
The encryption stage involves disabling antivirus products, executing an encryption payload via PowerShell, and deleting system shadow copies.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Black Basta Ransomware Group Threat Reports
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
References
unit42.paloaltonetworks.com
https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/www.blackberry.com
https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/black-bastamedium.com
https://medium.com/doublepulsar/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283www.trendmicro.com
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.htmlwww.trendmicro.com
https://www.trendmicro.com/vinfo/gb/security/news/ransomware-spotlight/ransomware-spotlight-blackbastawww.trendmicro.com
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbastacyware.com
https://cyware.com/resources/research-and-analysis/lets-talk-about-black-basta-ransomware-an-in-depth-analysis-7a19MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1489 | Service Stop | Impact |
| T1082 | System Information Discovery | Discovery |
| T1112 | Modify Registry | Defense Evasion |
| T1569.002 | Service Execution | Execution |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1486 | Data Encrypted for Impact | Impact |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1555 | Credentials from Password Stores | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1490 | Inhibit System Recovery | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1016 | System Network Configuration Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1070.004 | File Deletion | Defense Evasion |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1018 | Remote System Discovery | Discovery |
| T1083 | File and Directory Discovery | Discovery |
| T1491 | Defacement | Impact |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1059.003 | Windows Command Shell | Execution |
| T1003 | OS Credential Dumping | Credential Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1620 | Reflective Code Loading | Defense Evasion |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1482 | Domain Trust Discovery | Discovery |
| T1562 | Impair Defenses | Defense Evasion |
| T1087 | Account Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |