Threat Actor Profile
Critical
Cybercriminal
Description
"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (9)
AI Threat Intelligence Report
April 29, 2026 14:30Threat Intelligence Report: blackbasta
Automated AI-generated threat intelligence report for blackbasta.
View full AI reportIndicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': '"Black Basta" is a new ransomware strain discovered during '
'April 2022 - looks in dev since at least early February 2022 '
'- and due to their ability to quickly amass new victims and '
'the style of their negotiations, this is likely not a new '
'operation but rather a rebrand of a previous top-tier '
'ransomware gang that brought along their affiliates.\n',
'firstseen': '2022-04-26T21:12:12.555173+00:00',
'group': 'blackbasta',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2025-01-11T11:23:24.949208+00:00',
'locations': [{'available': False,
'fqdn': 'bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion',
'slug': 'https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/',
'title': 'Chat Black Basta',
'type': 'Chat'},
{'available': False,
'fqdn': 'aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion',
'slug': 'https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/',
'title': 'Chat Black Basta',
'type': 'DLS'},
{'available': False,
'fqdn': 'stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion',
'slug': 'http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/',
'title': 'Black Basta Blog',
'type': 'DLS'}],
'negotiation_count': 5,
'ransomnotes_count': 5,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion',
'slug': 'https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/',
'title': 'Chat Black Basta',
'type': 'Chat'},
{'available': False,
'fqdn': 'aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion',
'slug': 'https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/',
'title': 'Chat Black Basta',
'type': 'DLS'},
{'available': False,
'fqdn': 'stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion',
'slug': 'http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/',
'title': 'Black Basta Blog',
'type': 'DLS'}],
'negotiation_count': 5,
'ransomnotes_count': 5,
'ransomware_live_group': 'blackbasta',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['Backstab (Process Explorer '
'driver)'],
'DiscoveryEnum': ['AdFind',
'Bloodhound',
'PowerView',
'PSNmap',
'SoftPerfect NetScan'],
'Exfiltration': ['Qaz[.]im', 'RClone'],
'LOLBAS': ['BITSAdmin',
'PsExec',
'Quick Assist'],
'Networking': [],
'Offsec': ['Brute Ratel C4',
'Cobalt Strike',
'Metasploit',
'PowerSploit'],
'RMM-Tools': ['AnyDesk',
'Atera',
'NetSupport',
'ScreenConnect',
'Splashtop',
'Supremo']},
'url': 'https://www.ransomware.live/group/blackbasta',
'victims': 523,
'vulnerabilities': [{'CVE': 'CVE-2024-1709 & '
'CVE-2024-1709',
'CVSS': 10.0,
'Product': 'ScreenConnect',
'Vendor': 'ConnectWise',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-37085 ("ESX '
'Admins")',
'CVSS': 6.8,
'Product': 'ESXi',
'Vendor': 'VMware',
'severity': 'MEDIUM'},
{'CVE': 'CVE-2024-26169',
'CVSS': 7.8,
'Product': 'Windows Error Reporting '
'Service',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2022-30190 ("Follina")',
'CVSS': 7.8,
'Product': 'MSDT',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2021-42278 & '
'CVE-2021-42287 ("NoPac")',
'CVSS': 7.5,
'Product': 'Active Directory',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2021-1675 & '
'CVE-2021-34527 '
'("PrintNightmare")',
'CVSS': 8.8,
'Product': 'Print Spooler',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2020-1472 ("ZeroLogon")',
'CVSS': 5.5,
'Product': 'NetLogon',
'Vendor': 'Windows',
'severity': 'MEDIUM'}]},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': ['Backstab (Process Explorer driver)'],
'DiscoveryEnum': ['AdFind',
'Bloodhound',
'PowerView',
'PSNmap',
'SoftPerfect NetScan'],
'Exfiltration': ['Qaz[.]im', 'RClone'],
'LOLBAS': ['BITSAdmin', 'PsExec', 'Quick Assist'],
'Networking': [],
'Offsec': ['Brute Ratel C4',
'Cobalt Strike',
'Metasploit',
'PowerSploit'],
'RMM-Tools': ['AnyDesk',
'Atera',
'NetSupport',
'ScreenConnect',
'Splashtop',
'Supremo']},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Victims receive spear '
'phishing emails with attached '
'malicious zip files - '
'typically password protected. '
'That contains malicious doc '
'including .doc, .pdf, .xls',
'technique_id': 'T1566.001',
'technique_name': 'Phishing: Spear phishing '
'Attachment'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Black Basta has installed and '
'used PsExec to execute '
'payloads on remote hosts.',
'technique_id': 'T1569.002',
'technique_name': 'System Services: Service '
'Execution'},
{'technique_details': 'Utilizes Invoke-TotalExec to '
'push out the ransomware '
'binary.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'},
{'technique_details': 'Black Basta has encoded '
'PowerShell scripts to '
'download additional scripts.',
'technique_id': 'T1059.001',
'technique_name': 'Command and Scripting '
'Interpreter: PowerShell'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Black Basta threat actors '
'created accounts with names '
'such as temp, r, or admin.',
'technique_id': 'T1136',
'technique_name': 'Create Account'},
{'technique_details': 'Added newly created accounts '
"to the administrators' group "
'to maintain elevated access.',
'technique_id': 'T1098',
'technique_name': 'Account Manipulation'},
{'technique_details': 'Creates benign-looking '
'services for the ransomware '
'binary.',
'technique_id': 'T1543.003',
'technique_name': 'Create or Modify System Process: '
'Windows Service'},
{'technique_details': 'Black Basta used Qakbot, '
'which has the ability to '
'exploit Windows 7 Calculator '
'to execute malicious '
'payloads.',
'technique_id': 'T1574.001',
'technique_name': 'Hijack Execution Flow: DLL '
'Search Order Hijacking'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Black Basta can modify group '
'policy for privilege '
'escalation and defense '
'evasion.',
'technique_id': 'T1484.001',
'technique_name': 'Domain Policy Modification: '
'Group Policy Modification'},
{'technique_details': 'Black Basta used Qakbot, '
'which has the ability to '
'exploit Windows 7 Calculator '
'to execute malicious '
'payloads.',
'technique_id': 'T1574.001',
'technique_name': 'Hijack Execution Flow: DLL '
'Search Order Hijacking'},
{'technique_details': 'Creates benign-looking '
'services for the ransomware '
'binary.',
'technique_id': 'T1543.003',
'technique_name': 'Create or Modify System Process: '
'Windows Service'}]}],
'url': 'https://www.ransomware.live/group/blackbasta',
'victims': 523,
'vulnerabilities': [{'CVE': 'CVE-2024-1709 & CVE-2024-1709',
'CVSS': 10.0,
'Product': 'ScreenConnect',
'Vendor': 'ConnectWise',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-37085 ("ESX Admins")',
'CVSS': 6.8,
'Product': 'ESXi',
'Vendor': 'VMware',
'severity': 'MEDIUM'},
{'CVE': 'CVE-2024-26169',
'CVSS': 7.8,
'Product': 'Windows Error Reporting Service',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2022-30190 ("Follina")',
'CVSS': 7.8,
'Product': 'MSDT',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2021-42278 & CVE-2021-42287 ("NoPac")',
'CVSS': 7.5,
'Product': 'Active Directory',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2021-1675 & CVE-2021-34527 '
'("PrintNightmare")',
'CVSS': 8.8,
'Product': 'Print Spooler',
'Vendor': 'Windows',
'severity': 'HIGH'},
{'CVE': 'CVE-2020-1472 ("ZeroLogon")',
'CVSS': 5.5,
'Product': 'NetLogon',
'Vendor': 'Windows',
'severity': 'MEDIUM'}]}