Black Basta
Black Basta is a ransomware-as-a-service (RaaS) operation that emerged in early 2022, with samples dating to February 2022 and public emergence in April 2022. Reporting in the provided content describes it as a successor or spinoff of Conti, with some assessments linking it to former Conti members and others assessing it is highly likely tied to FIN7. It reportedly breached more than 90 organizations by September 2022 and has targeted sectors including utilities, technology, financial, manufacturing, and construction. The group has also used Linux encryptors, and Black Basta supports both Windows and Linux.
Observed initial access and delivery methods include malicious Excel files, macro-enabled Microsoft Office documents, ISO+LNK droppers, and .docx files exploiting CVE-2022-30190. Multiple sources in the content also associate Black Basta-related activity with social-engineering-heavy intrusion chains involving email bombing, Microsoft Teams impersonation of IT/help desk staff, and remote access via Microsoft Quick Assist or Teams screen control. Black Basta activity is also associated with QakBot/Qakbot as an initial access mechanism.
Post-compromise behavior described in the content includes creation of new Windows services for persistence, scheduled-task persistence via QakBot, use of WMI to execute files over the network, Active Directory and network reconnaissance with a uniquely obfuscated AdFind variant (AF.exe), SharpHound/BloodHound, SoftPerfect Network Scanner (netscan.exe), and WMI queries against SecurityCenter2 to enumerate security products. Reported privilege-escalation and lateral-movement tradecraft includes exploitation of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287 and CVE-2021-42278), and PrintNightmare (CVE-2021-34527), plus PsExec-driven deployment across endpoints. Black Basta operators have used remote administration tools including NetSupport Manager, Splashtop, GoToAssist, Atera Agent, and SystemBC/Coroxy.
The malware and associated operators have been reported disabling or impairing defenses before encryption. Examples in the content include batch scripts such as SERVI.bat to kill services and processes, delete shadow copies, and disable security solutions; scripts named with the pattern ILUg69ql followed by a digit to disable Windows Defender; and a custom defense-impairment tool, WindefCheck.exe, that displayed a fake Windows Security interface while protections were disabled. Black Basta also uses intermittent encryption; for files larger than 4 KB, it encrypts 64-byte portions while skipping 128 bytes. It operates a double-extortion model and threatens to leak stolen data on its TOR-based Basta News site if victims do not pay.
The content also references operational overlap or collaboration with other ransomware ecosystems. Trend Micro and Cisco Talos reporting cited here describe campaigns using Black Basta and later pivoting to Cactus while retaining similar TTPs, especially against manufacturing and construction organizations. Sophos and Red Canary reporting in the content note that Storm-1811/STAC5777 activity can culminate in attempted or potential Black Basta deployment. Trellix analysis of leaked Black Basta Matrix chats from September 2023 to September 2024 describes the operation as a mature criminal enterprise with Moscow offices, structured teams, use of ChatGPT for phishing and malware-development tasks, and use or rental of tooling including Pikabot, DarkGate, IcedID, LummaC2, and a custom framework called Breaker.
The provided content states that Black Basta’s internal Matrix chat logs, containing more than 200,000 messages, were leaked on Telegram on February 11, 2025 via the 'shopotbasta' channel. Subsequent reporting in the content says Black Basta collapsed in February 2025 after the leak, and S2W lists BlackBasta among groups that ceased operations or had leak sites taken down in H1 2025. The content further notes that former Black Basta affiliates reportedly continued under other banners, including Cactus and later Payouts King.
Notable indicators and artifacts directly mentioned in the content include the Basta News leak site; AF.exe; SERVI.bat; WindefCheck.exe; zero22.exe; zero.exe; spider.dll; RunTimeListen.exe; the administrator account 'Crackenn' with password '*aaa111Cracke'; and a BIRDDOG/SocksBot-related command-and-control IP of 45.67.229.148. The content also notes discussion of CVE-2024-3400 in leaked Black Basta chats.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
14 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2024–3400 is a high severity vulnerability with a CVSS score of 10.0 in Palo Alto Networks PAN OS that allows arbitrary file creation and command injection. When chat logs from the Black Basta ransomware gang were leaked, messages sharing details about this vulnerability were actively posted in the leaked logs.
Beyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a variety of exploits. We have seen the use of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and PrintNightmare (CVE-2021-34527). | Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
Beyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a variety of exploits. We have seen the use of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and PrintNightmare (CVE-2021-34527). | Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
In one intrusion, we observed the Black Basta operator exploiting the PrintNightmare vulnerability and dropping spider.dll as the payload. | Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
Beyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a variety of exploits. We have seen the use of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278) and PrintNightmare (CVE-2021-34527). | Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
Black Basta infections began with Qakbot delivered by email and macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting the MSDTC remote code execution vulnerability, CVE-2022-30190.
Of the ransomware that was deployed in the incidents – Royal, Black Basta, and Hive... While some of the behaviors in the Black Basta attack... Initial access, in this case, came from a JSP web shell installed on an internet-facing ManageEngine server that had a vulnerability. | In January 2023, at around the same timeframe in which the attacks took place, ManageEngine’s publisher Zoho released a security advisory detailing CVE-2022-47966 an unauthenticated remote code execution vulnerability. In January 2023 there were also reports of attacks against this vulnerability.
A particularly effective technique CVE-2024–37085 allows any member of a specially named AD group to receive full administrative rights on the hypervisor without additional authentication. Ransomware operators simply create the “ESX Admins” group via net group commands and add their controlled account, granting instant ESXi admin access. | This method was observed in high-tempo operations linked to Medusa affiliates (Storm-1175) and has been adopted by multiple groups deploying Akira and Black Basta payloads.
"#StopRansomware: Black Basta" ... "Black Basta, a ransomware variant whose actors have encrypted and stolen data..."
The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices.
CVE-2023-34992: phMontior Service Command Injection
CVE-2024-23108: phMonitor Service Second-Order Command Injection
Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet's Security Information and Event Management (SIEM) solution... The vulnerability is tracked as CVE-2025-25256... may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
“The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver.”
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
Without prompt response, this activity can lead to Black Basta ransomware in your environment.
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.
For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
3 techniques
Initial Access
After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session...
Execution
6 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
YY later inquired if GG's suggestion was to rewrite C# in C#, revealing that Tramp instructed to rewrite the malware from C# to Python using ChatGPT.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions. | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
YY (coder of Black Basta) was instructed to rewrite the tools in Python as some of the gang’s malware got detected by AV/EDR. GG asked YY to use ChatGPT for that... Tramp instructed to rewrite the malware from C# to Python using ChatGPT.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
Persistence
4 techniques
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
After a few days, the actors call the victim, usually via Microsoft Teams, and direct them to initiate a Microsoft Quick Assist remote access session...
Privilege Escalation
3 techniques
Privilege Escalation
Black Basta has been observed spreading via Group Policy Objects (GPO).
Stealth
2 techniques
Stealth
Defense Impairment
2 techniques
Defense Impairment
Discovery
4 techniques
Discovery
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
2 techniques
Lateral Movement
Exfiltration
1 technique
Exfiltration
Impact
2 techniques
Impact
The Black Basta group discovered that they had not encrypted the Ascension Healthcare data correctly due to a crypt error and decided to share the decryption key to avoid potential political sanctions and retaliation from US law enforcement against their infrastructure.
Other
3 techniques
Other
Once a Quick Assist session is established, the adversary loads tooling to collect information about the target system and establish persistence... disable endpoint protections... Of note, we also observed the affiliates using HRSword to disable the target’s EDR solution.
file1.bat : a batch file designed to set up the system with autologon as the newly-created administrative user AdminBac, reboot into Safe Mode ... file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive
IOCs tracked for this family
51 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
178 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware group/family identified as one of the successor rebrands or splinter groups that emerged from Conti members after Conti disbanded.
Ransomware family/group described as a successor to Conti. Former affiliates are linked to later activity involving other ransomware families including Cactus and Payouts King.
A ransomware family deployed by the financially motivated group Storm-1811. The article also references campaigns and TTPs associated with the BlackBasta ransomware gang.
A ransomware-as-a-service operation discussed through leaked internal chats. The content describes Black Basta conducting ransomware and extortion operations, maintaining offices in Moscow, using AI to support operations, collaborating with other malware groups, using multiple loaders/stealers, and developing custom tooling and a possible successor ransomware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.