Inactive ransomware operator
← All groupsBlack Basta
aka BlackBasta · 800 victims indexed · first seen 4 years ago · last activity 1 year ago
800
Victims indexed
#13 of 348 tracked operators
2y 9m
Active period
Apr 2022 → Jan 2025
10
Countries hit
top United States · 201
At a glance
- Status
- inactive
- Aliases
- BlackBasta
- First seen
- 4 years ago
- Last activity
- 1 year ago
- Onion sites
- 3 known endpoints
- Primary sector
- Business Services · 68 hits
About
Black Basta is a financially motivated ransomware group that emerged in April 2022 and has since compromised approximately 800 organizations worldwide. The group operates as a Ransomware-as-a-Service (RaaS) model with suspected ties to the now-defunct Conti ransomware operation, though their exact country of origin remains unconfirmed by law enforcement agencies. Black Basta primarily gains initial access through phishing campaigns, exploitation of known vulnerabilities, and credential stuffing attacks, subsequently deploying their custom ransomware that employs ChaCha20 encryption algorithm and employs double extortion tactics by exfiltrating sensitive data before encryption and threatening to publish it on their leak site if ransom demands are not met. The group has demonstrated a preference for targeting organizations in the United States, United Kingdom, Germany, Canada, and Italy, with a particular focus on business services, manufacturing, technology, healthcare, and agriculture sectors. Notable victims have included various healthcare systems and manufacturing companies, though specific ransom amounts and high-profile attacks have not been widely disclosed in public law enforcement advisories. As of 2024, Black Basta remains an active threat with continued operations and regular updates to their leak site indicating ongoing compromise activities.
References
23 linksExternal sources curated by the MISP threat-intel community.
- malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta
- bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/
- bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/
- trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html
- advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape
- securityintelligence.com/posts/black-basta-ransomware-group-besting-network/
- avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware
- research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
- gbhackers.com/black-basta-ransomware/
- trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
- securelist.com/luna-black-basta-ransomware/106950/
- securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware
- unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/
- trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
- sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/
- sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
- cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/
- blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
- ransomlook.io/group/blackbasta
- cisa.gov/news-events/cybersecurity-advisories/aa23-131a
Timeline
24 months2022-11-01T00:00:00+00:002025-01-01T00:00:00+00:00
Top countries
🇺🇸 United States
201
🇬🇧 United Kingdom
43
🇩🇪 Germany
42
🇨🇦 Canada
25
🇮🇹 Italy
20
🇨🇭 Switzerland
8
🇫🇷 France
8
🇳🇱 Netherlands
7
Top sectors
Business Services
68
Manufacturing
55
Technology
29
Agriculture and Food Production
15
Transportation/Logistics
14
Finance
13
Healthcare
12
Financial
8
MITRE ATT&CK
6 techniques · 5 tacticsTactics
Initial AccessExecutionDefense EvasionCredential AccessImpact
Indicators of compromise
CVEs exploited
Known tools
QakBotCobalt StrikeMimikatzSystemBCPsExec
Detection · YARA rules
1 ruleBlackBasta_Ransomware
Detects Black Basta ransomware
source: CISA AA24-131A
Recent victims
Loading…
Onion infrastructure
3 known- https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
- http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/
- https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source
Updated 1 year agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.