Skip to main content

Operator dossier

Black Basta (also tracked as BlackBasta) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1,323 public victims claimed by this operator between April 26, 2022 and January 11, 2025. Black Basta is a financially motivated ransomware group that emerged in April 2022 and has since compromised approximately 800 organizations worldwide. The group operates as a Ransomware-as-a-Service (RaaS) model with suspected ties to the now-defunct Conti ransomware operation, though their exact country of origin remains unconfirmed by law enforcement agencies. Black Basta primarily gains initial access through phishing campaigns, exploitation of known vulnerabilities, and credential stuffing attacks, subsequently deploying their custom ransomware that employs ChaCha20 encryption algorithm and employs double extortion tactics by exfiltrating sensitive data before encryption and threatening to publish it on their leak site if ransom demands are not met. The group has demonstrated a preference for targeting organizations in the United States, United Kingdom, Germany, Canada, and Italy, with a particular focus on business services, manufacturing, technology, healthcare, and agriculture sectors. Notable victims have included various healthcare systems and manufacturing companies, though specific ransom amounts and high-profile attacks have not been widely disclosed in public law enforcement advisories. As of 2024, Black Basta remains an active threat with continued operations and regular updates to their leak site indicating ongoing compromise activities.

Most-targeted sectors

Most-affected countries

Recent disclosures by Black Basta

Most recent 150 of 1,323 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Black Basta

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Black Basta

aka BlackBasta · 1,323 victims indexed · first seen 4 years ago · last activity 2 years ago

1,323
Victims indexed
#8 of 364 tracked operators
2y 9m
Active period
Apr 2022 → Jan 2025
30
Countries hit
top United States · 454

At a glance

Status
inactive
Aliases
BlackBasta
First seen
4 years ago
Last activity
2 years ago
Onion sites
7 known endpoints
Primary sector
Manufacturing · 175 hits

About

Black Basta is a financially motivated ransomware group that emerged in April 2022 and has since compromised approximately 800 organizations worldwide. The group operates as a Ransomware-as-a-Service (RaaS) model with suspected ties to the now-defunct Conti ransomware operation, though their exact country of origin remains unconfirmed by law enforcement agencies. Black Basta primarily gains initial access through phishing campaigns, exploitation of known vulnerabilities, and credential stuffing attacks, subsequently deploying their custom ransomware that employs ChaCha20 encryption algorithm and employs double extortion tactics by exfiltrating sensitive data before encryption and threatening to publish it on their leak site if ransom demands are not met. The group has demonstrated a preference for targeting organizations in the United States, United Kingdom, Germany, Canada, and Italy, with a particular focus on business services, manufacturing, technology, healthcare, and agriculture sectors. Notable victims have included various healthcare systems and manufacturing companies, though specific ransom amounts and high-profile attacks have not been widely disclosed in public law enforcement advisories. As of 2024, Black Basta remains an active threat with continued operations and regular updates to their leak site indicating ongoing compromise activities.

References

23 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2022-11-01T00:00:00+00:00 · 162022-12-01T00:00:00+00:00 · 322023-01-01T00:00:00+00:00 · 12023-03-01T00:00:00+00:00 · 1132023-04-01T00:00:00+00:00 · 632023-05-01T00:00:00+00:00 · 212023-06-01T00:00:00+00:00 · 312023-07-01T00:00:00+00:00 · 142023-08-01T00:00:00+00:00 · 182023-10-01T00:00:00+00:00 · 442023-11-01T00:00:00+00:00 · 972023-12-01T00:00:00+00:00 · 362024-01-01T00:00:00+00:00 · 532024-02-01T00:00:00+00:00 · 702024-03-01T00:00:00+00:00 · 1022024-04-01T00:00:00+00:00 · 592024-05-01T00:00:00+00:00 · 542024-06-01T00:00:00+00:00 · 452024-07-01T00:00:00+00:00 · 192024-09-01T00:00:00+00:00 · 62024-10-01T00:00:00+00:00 · 362024-11-01T00:00:00+00:00 · 432024-12-01T00:00:00+00:00 · 592025-01-01T00:00:00+00:00 · 24
2022-11-01T00:00:00+00:002025-01-01T00:00:00+00:00

Top countries

🇺🇸 United States
454
🇬🇧 United Kingdom
91
🇩🇪 Germany
79
🇨🇦 Canada
51
🇮🇹 Italy
41
🇳🇱 Netherlands
20
🇨🇭 Switzerland
16
🇫🇷 France
16

Top sectors

Manufacturing
175
Business Services
143
Technology
82
Healthcare
71
Construction
58
Legal
32
Transportation & Logistics
31
Agriculture and Food Production
30

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionDefense EvasionCredential AccessImpact

Techniques

Indicators of compromise

Known tools

QakBotCobalt StrikeMimikatzSystemBCPsExec

Detection · YARA rules

1 rule
  • BlackBasta_Ransomware

    Detects Black Basta ransomware

    source: CISA AA24-131A

Recent victims

Loading…

Onion infrastructure

7 known
  • https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/
  • http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/
  • https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
  • http://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion
  • http://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion
  • http://databasebb.top
  • http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Black Basta posts a victim.

Add Black Basta to your watchlist — Pro pings you within 5 minutes of any new Black Basta leak-site post, Telegram callout, or affiliate-rebrand inference.