| SYMBOL | COMMON_NAME | aka. SYNONYMS |
GOLD REBELLION is a financially motivated cybercriminal threat group that operates the Black Basta name-and-shame ransomware. The group posted its first victim to its leak site in April 2022 and has continued to publish victim names at a rate of around 15 a month since then. GOLD REBELLION has not openly advertised or appeared to recruit for an affiliate program but the variety of tactics, techniques and procedures (TTP) observed in Black Basta intrusions suggests that multiple individuals are engaged in the ransomware scheme.Several security vendors and independent researchers have suggested the distributors of Black Basta may be former affiliates of GOLD ULRICK's Conti operation. Technical artifacts analyzed by CTU researchers suggest that Black Basta has been under development since at least early February 2022, several weeks before extensive public leaks detailed GOLD ULRICK's Conti operation. In November 2022, researchers at SentinelOne linked custom tooling used by GOLD REBELLION to the GOLD NIAGARA (FIN7) threat group. CTU researchers have not made independent observations corroborating a relationship between these threat groups or any others.GOLD REBELLION appear to have been a key customer of GOLD LAGOON's Qakbot: CTU researchers observed multiple incidents where Black Basta was distributed through it as an initial access vector (IAV), leading to Cobalt Strike and further lateral movement into the victim network. Following the takedown of Qakbot in August 2023, GOLD REBELLION explored new methods of delivery, including DarkGate and Pikabot. In one incident, CTU researchers observed a threat actor gain access to a victim network through a managed security services provider (MSSP). In October 2024, GOLD REBELLION likely exploited a vulnerability in a Sonic Wall VPN device for access. Also in 2024, CTU researchers observed multiple instances of the group using social engineering to convince victims to download remote management and monitoring tools like AnyDesk and Quick Assist. After spamming inboxes with multiple emails, the threat actors approached the affected users via Teams, purporting to be IT Support or Help Desk employees offering assistance with email inbox issues.Other tools members of the group have used include the SystemBC back connect malware, PsExec for remote execution, RDP for lateral movement, batch files to delete their own tools and disable anti-virus programs for defense evasion, and both Rclone and MegaSync for data exfiltration.
| 2025-03-04
⋅
Secureworks
⋅
GOLD REBELLION GOLD REBELLION |
| 2025-03-03
⋅
Trend Micro
⋅
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal Black Basta Black Basta Cactus ReedBed |
| 2025-02-28
⋅
CrowdStrike
⋅
2025 Global Threat Report GOLD REBELLION UNC4393 |
| 2025-02-22
⋅
CrowdStrike
⋅
Wandering Spider Black Basta Black Basta GOLD REBELLION |
| 2024-12-04
⋅
Rapid7
⋅
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware Black Basta Cobalt Strike DarkGate SystemBC Zloader |
| 2024-10-25
⋅
Reliaquest
⋅
ReliaQuest Uncovers New Black Basta Social Engineering Technique Black Basta |
| 2024-10-02
⋅
Secureworks
⋅
2024 State of the Threat GOLD REBELLION |
| 2024-08-12
⋅
Rapid7
⋅
Ongoing Social Engineering Campaign Refreshes Payloads Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC |
| 2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 |
| 2024-07-29
⋅
Microsoft
⋅
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption Black Basta Black Basta Storm-0506 |
| 2024-06-27
⋅
Palo Alto Networks Unit 42
⋅
Threat Actor Groups Tracked by Palo Alto Networks Unit 42 GOLD REBELLION |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta UNC4393 |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot UNC4393 |
| 2024-05-15
⋅
Stairwell
⋅
Stairwell threat report: Black Basta overview and detection rules Black Basta Black Basta |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot SystemBC |
| 2024-05-10
⋅
CISA
⋅
AA24-131A: #StopRansomware: Black Basta Black Basta Black Basta |
| 2024-05-10
⋅
Rapid7 Labs
⋅
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators Black Basta Black Basta Cobalt Strike NetSupportManager RAT |
| 2024-02-28
⋅
Security Intelligence
⋅
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023 404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos |
| 2023-11-16
⋅
YouTube (Swiss Cyber Storm)
⋅
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware Black Basta |
| 2023-09-29
⋅
Secureworks
⋅
2023 State of the Threat GOLD REBELLION |
| 2023-07-21
⋅
Secureworks
⋅
Learning from Incident Response: January - March 2023 GOLD REBELLION |
| 2023-06-27
⋅
SecurityIntelligence
⋅
The Trickbot/Conti Crypters: Where Are They Now? Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot |
| 2023-05-23
⋅
CrowdStrike
⋅
Modern Adversaries and Evasion Techniques: Why Legacy AV Is an Easy Target GOLD REBELLION |
| 2023-04-19
⋅
Bleeping Computer
⋅
March 2023 broke ransomware attack records with 459 incidents Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom |
| 2023-04-18
⋅
Mandiant
⋅
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
| 2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
| 2023-03-20
⋅
PWC
⋅
Cyber Threats 2022: A Year in Retrospect Black Basta Black Basta Earth Lusca GOLD REBELLION |
| 2023-03-15
⋅
Reliaquest
⋅
QBot: Laying the Foundations for Black Basta Ransomware Activity Black Basta QakBot |
| 2023-03-09
⋅
Secureworks
⋅
Learning from Incident Response: 2022 Year in Review GOLD REBELLION |
| 2023-01-25
⋅
Quadrant Information Security
⋅
Technical Analysis: Black Basta Malware Overview Black Basta Black Basta |
| 2023-01-23
⋅
Kroll
⋅
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
| 2022-12-01
⋅
Zscaler
⋅
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0 Black Basta |
| 2022-11-23
⋅
Cybereason
⋅
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
| 2022-11-03
⋅
Sentinel LABS
⋅
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor Black Basta |
| 2022-11-03
⋅
SentinelOne
⋅
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
| 2022-10-12
⋅
Trend Micro
⋅
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
| 2022-09-08
⋅
Sentinel LABS
⋅
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection AgendaCrypt Black Basta BlackCat PLAY |
| 2022-09-01
⋅
Trend Micro
⋅
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta |
| 2022-08-22
⋅
Microsoft
⋅
Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-07-20
⋅
Kaspersky
⋅
Luna and Black Basta — new ransomware for Windows, Linux and ESXi Black Basta Conti |
| 2022-06-30
⋅
Trend Micro
⋅
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
| 2022-06-28
⋅
GBHackers on Security
⋅
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks Black Basta |
| 2022-06-06
⋅
NCC Group
⋅
Shining the Light on Black Basta Black Basta |
| 2022-06-01
⋅
Avertium
⋅
An In-Depth Look At Black Basta Ransomware Black Basta |
| 2022-05-26
⋅
IBM
⋅
Black Basta Besting Your Network? Black Basta |
| 2022-05-20
⋅
AdvIntel
⋅
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive |
| 2022-05-09
⋅
Trend Micro
⋅
Examining the Black Basta Ransomware’s Infection Routine Black Basta |
| 2022-04-29
⋅
The Record
⋅
German wind farm operator confirms cybersecurity incident Black Basta BlackCat |
| 2022-04-27
⋅
BleepingComputer
⋅
New Black Basta ransomware springs into action with a dozen breaches Black Basta |
| 2022-04-26
⋅
Bleeping Computer
⋅
American Dental Association hit by new Black Basta ransomware Black Basta |