BlackBasta

Black Basta is a ransomware group that launched in February 2022 and is described in the content as a successor to the Conti ransomware gang. It operated as a closed ransomware-as-a-service model and was one of the most active ransomware groups until it collapsed in February 2025 after its internal chat logs were leaked publicly online. The leaks exposed internal operational discussions, negotiation transcripts, and communications with victims, and provided insight into the group’s inner workings. The group is associated with double-extortion activity, including data theft, encryption, and operation of a dark web leak site to pressure victims. The content notes Black Basta encrypted data and defaced victim systems to maximize impact. It also added a Linux encryptor to its arsenal in 2022 as part of the broader trend of ransomware groups targeting Linux environments. Black Basta is repeatedly linked in the content to social-engineering-heavy initial access tradecraft, especially spam bombing, Microsoft Teams impersonation of IT support, vishing, and abuse of Quick Assist to obtain remote access. Related reporting says Black Basta actors began researching vishing in fall 2023, purchased Microsoft Teams accounts, and tested the TeamsPhisher tool; leaked chats included a full vishing script posted in May 2024. Microsoft tracked Storm-1811 as a financially motivated group known to deploy Black Basta and observed it abusing Teams and Quick Assist in 2024. BlueVoyant assessed a later campaign delivering A0Backdoor via signed MSI installers and DLL sideloading as an evolution of Black Basta-associated TTPs after the group’s dissolution. The content also links Black Basta to tooling and malware including BackConnect malware, SystemBC, and GhostSocks. Trend Micro analyzed Black Basta and Cactus as the work of the same attack group based on shared BackConnect malware and an intrusion strategy using social engineering, Microsoft Teams, and Quick Assist. SystemBC usage is linked to Black Basta among other ransomware groups, and GhostSocks is described as a tool previously utilized by Black Basta that turns compromised systems into proxies. The group has ties to later activity by former affiliates and associated clusters. The content states former Black Basta initial access brokers continued conducting attacks after the group’s collapse, stealing large amounts of data and selectively deploying Payouts King ransomware. Zscaler assessed Payouts King activity as likely tied to former Black Basta affiliates based on overlapping initial access methods. Sophos also states that 3AM has ties to Black Basta-affiliated actors involved in Microsoft Teams-based vishing activity tracked as STAC5777. The content further references links to former Black Basta affiliates in GOLD ENCOUNTER-related activity. Known aliases directly mentioned in the content for this actor are limited to BlackBasta / Black Basta.