Black Basta
Black Basta is a ransomware family and associated ransomware operation first reported as active in April 2022 and described in the content as a successor or spinoff of Conti; the operation reportedly collapsed in February 2025 after internal Matrix chat logs were leaked. It has been linked in reporting to financially motivated actors including Storm-1811 and to activity clusters overlapping with Conti/Qakbot ecosystems, and some reporting cited DEV-0506 deploying Black Basta before and after the Conti shutdown. Black Basta has targeted organizations worldwide, with specific reporting noting impacts in healthcare and rapid deployment in some incidents.
The malware uses ChaCha20 for file encryption, with the per-file key and nonce encrypted using an embedded RSA public key; reporting also notes RSA-4096 in public analyses. It can fully or partially encrypt files depending on file size, uses multithreaded encryption, appends the RSA-encrypted keying material to encrypted files, and commonly renames files with the .basta extension. Black Basta drops a readme.txt ransom note in traversed directories, has changed desktop wallpaper in earlier variants, and creates registry associations for the encrypted-file extension using an ICO file dropped in %Temp%. Public reporting cited a Tor leak site called the Black Basta Blog/Basta News and a negotiation portal called Chat Black Basta, consistent with double-extortion operations that steal data before encryption and threaten publication if victims do not pay.
Observed initial access and delivery vectors in the content include Qakbot infections, phishing, malicious Excel files, email attachments, vulnerability exploitation, and spread via Group Policy Objects. One incident described initial access through a JSP web shell on an internet-facing ManageEngine server. Black Basta has used PowerShell scripts for discovery and to execute files over the network, WMI to execute files over the network, and LDAP queries to Active Directory to iterate over connected workstations. The malware requires administrative privileges in at least some analyzed samples, hijacks an existing Windows service to launch the encryptor, and has been observed rebooting systems into Safe Mode with Networking before encryption.
Defense evasion and impact behaviors mentioned in the content include deletion of Volume Shadow Copies via vssadmin.exe, random calls to kernel32.beep to hinder log analysis, and use of a digitally signed dropper with a certificate issued by Akeo Consulting. Black Basta has been observed in incidents involving Cobalt Strike, Meterpreter, attempted security-tool removal, and use of remote administration tooling by associated operators. Reported indicators and artifacts include the .basta extension, ransom note readme.txt, Temp files such as fkdjsadasd.ico and earlier dlaksjdoiwq.jpg, the command window text "ENCRYPTION," and the analyzed sample SHA-256 ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Of the ransomware that was deployed in the incidents – Royal, Black Basta, and Hive... While some of the behaviors in the Black Basta attack... Initial access, in this case, came from a JSP web shell installed on an internet-facing ManageEngine server that had a vulnerability. | In January 2023, at around the same timeframe in which the attacks took place, ManageEngine’s publisher Zoho released a security advisory detailing CVE-2022-47966 an unauthenticated remote code execution vulnerability. In January 2023 there were also reports of attacks against this vulnerability.
A particularly effective technique CVE-2024–37085 allows any member of a specially named AD group to receive full administrative rights on the hypervisor without additional authentication. Ransomware operators simply create the “ESX Admins” group via net group commands and add their controlled account, granting instant ESXi admin access. | This method was observed in high-tempo operations linked to Medusa affiliates (Storm-1175) and has been adopted by multiple groups deploying Akira and Black Basta payloads.
"#StopRansomware: Black Basta" ... "Black Basta, a ransomware variant whose actors have encrypted and stolen data..."
"Black Basta ransomware emerged in April 2022..."
"Black Basta ransomware emerged in April 2022..."
"Black Basta ransomware emerged in April 2022..."
"Black Basta ransomware emerged in April 2022..."
"Black Basta ransomware emerged in April 2022..."
The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices.
CVE-2023-34992: phMontior Service Command Injection
CVE-2024-23108: phMonitor Service Second-Order Command Injection
Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet's Security Information and Event Management (SIEM) solution... The vulnerability is tracked as CVE-2025-25256... may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.
“The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver.”
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Storm-1811, Microsoft’s analysts wrote, “is a financially motivated cybercriminal group known to deploy BlackBasta ransomware”...
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.
For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
BlackBasta was one of the most active ransomware groups since it launched in February 2022 as a successor to the notorious Conti ransomware gang.
BlackBasta was one of the most active ransomware groups since it launched in February 2022 as a successor to the notorious Conti ransomware gang.
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."
"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."
The Black Basta ransomware-as-a-service (RaaS) operation emerged in April 2022 and is believed to be responsible for at least 600 ransomware incidents, data theft, and extortion targeting large organizations worldwide.
“A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself… the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”
Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.
Early tactics in the attack align with those of “Storm-1811” (aka “STAC5777”), a threat group known to deploy “Black Basta” ransomware.
"...a financially motivated cluster Microsoft has linked to Black Basta ransomware operations."; "...eventually Black Basta ransomware."
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniquelast quarter featured a dominant voice phishing (vishing) campaign deploying Cactus and Black Basta ransomware that was significantly less present this quarter
Initial Access
3 techniquesAttackers leverage a variety of initial infection vectors to deliver Black Basta, such as Qakbot, phishing, vulnerability exploitation, and email attachments.
On 4 November last year, an external user signed into a customer environment under the display name “IT Support”... Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target who believed he was speaking to colleagues.
Attackers leverage a variety of initial infection vectors to deliver Black Basta, such as Qakbot, phishing, vulnerability exploitation, and email attachments.
Execution
5 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions. | APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Persistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
It will then hijack an existing Windows service and uses it to launch the ransomware encryptor executable. In our tests, the Windows Service that was hijacked was the 'Fax' service.
Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.
Privilege Escalation
3 techniquesBlack Basta has been observed spreading via Group Policy Objects (GPO).
It will then hijack an existing Windows service and uses it to launch the ransomware encryptor executable. In our tests, the Windows Service that was hijacked was the 'Fax' service.
Agent Tesla can achieve persistence by modifying Registry key entries. Attor's dispatcher can modify the Run registry key. Kimsuky has also modified the registry entry for HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key for persistence with the name WindowsSecurityCheck. PLAINTEE uses reg add to add a Registry Run key for persistence.
Stealth
3 techniquesthe tenants they registered for the operation carried display names so generic that they passed unnoticed: ‘Help Desk’, ‘Help Desk IT’, ‘Help Desk Support’, ‘IT Support’.
Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.
The ransomware deletes all Volume Shadow Copies by running the “C:\Windows\SysNative\vssadmin.exe delete shadows /all/quiet” command.
Defense Impairment
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Black Basta has been observed spreading via Group Policy Objects (GPO).
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
4 techniquesDuring the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The malicious process starts enumerating the files on the drive.
FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.
Lateral Movement
2 techniquesThe cloud and software giant’s threat intelligence team had already documented the same operators abusing the Quick Assist remote support tool since mid-April that year... Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target
Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
Collection
1 techniqueBlack Basta will steal corporate data and documents before encrypting a company's devices. This stolen data is then used in double-extortion attacks.
Command and Control
1 techniqueAttackers leverage a variety of initial infection vectors to deliver Black Basta, such as Qakbot, phishing, vulnerability exploitation, and email attachments.
Impact
4 techniquesEach file that is not skipped by the previously mentioned exclusions is encrypted using the ChaCha20 cypher. ... Following successful encryption of a file, its extension is changed to .basta
These result in the deletion of shadow copies ensuring they cannot be used for recovery purposes. ... modified configurations for the Veeam backup jobs and deleted the backups of the hosted virtual machines.
In an earlier variant of Black Basta, a file named dlaksjdoiwq.jpg is created in the Temp directory populated with instructions from the attacker. The newly created image is set as the Desktop wallpaper.
The ransomware will now reboot the computer into Safe Mode with Networking, where the hijacked Windows service will start and automatically begin to encrypt the files on the device.
Other
2 techniquesfile1.bat : a batch file designed to set up the system with autologon as the newly-created administrative user AdminBac, reboot into Safe Mode ... file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive
IOCs tracked for this family
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
162 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family/group described as a successor to Conti. Former affiliates are linked to later activity involving other ransomware families including Cactus and Payouts King.
A ransomware family deployed by the financially motivated group Storm-1811. The article also references campaigns and TTPs associated with the BlackBasta ransomware gang.
A ransomware family referenced as part of the affiliate background of Devman’s operator.
A ransomware family/subgroup that emerged from the Conti breakup and rebranding of its members.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.