Black Basta Ransomware Group
| Actor Type | Criminal Group |
|---|
Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. It quickly became one of the most active RaaS threat actors globally, targeting organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand with highly targeted attacks.
Black Basta employs a double extortion tactic - encrypting critical data and vital servers, before threatening to publish sensitive information on their public leak site. The group’s core membership may have originated from the defunct Conti threat actor group, evidenced by similarities in malware development, leak sites, and communication strategies.
Their attack arsenal includes tools like QakBot and exploits such as PrintNightmare. In early campaigns, they used spear-phishing for initial access and advertised buying corporate network access. Their second-stage tactics involve acquiring Windows Domain credentials, lateral movement within networks, data theft, and ransomware deployment. They use Cobalt Strike and SystemBC for command and control, followed by Rclone for data exfiltration.
The encryption stage involves disabling antivirus products, executing an encryption payload via PowerShell, and deleting system shadow copies.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Black Basta Ransomware Group Threat Reports
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
References
www.trendmicro.com
https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.htmlcyware.com
https://cyware.com/resources/research-and-analysis/lets-talk-about-black-basta-ransomware-an-in-depth-analysis-7a19unit42.paloaltonetworks.com
https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/www.blackberry.com
https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/black-bastawww.trendmicro.com
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbastamedium.com
https://medium.com/doublepulsar/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283www.trendmicro.com
https://www.trendmicro.com/vinfo/gb/security/news/ransomware-spotlight/ransomware-spotlight-blackbastaMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.