| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Storm-0506 (DEV-0506) is a financially motivated cybercriminal group operating as a core affiliate within the Black Basta ransomware-as-a-service (RaaS) ecosystem, having switched from deploying Conti ransomware around April 2022. This actor's operational model is distinguished by its strategic reliance on a dynamic network of initial access brokers, showcasing a division of labor common in RaaS operations. Throughout its history, Storm-0506 has leveraged access obtained through various brokers: initially Storm-0450/0464 via Qakbot infections (pre-September 2023), then expanding to include Storm-1674 delivering DarkGate, Pikabot, and IcedID (September 2023), and later employing Storm-1674's Microsoft Teams vishing campaigns (October 2024) and Storm-0569's SEO poisoning leading to BATLOADER and Cobalt Strike (December 2023). Following successful initial compromise, Storm-0506 employs a range of post-exploitation tools, including Cobalt Strike Beacon, SystemBC, and Brute Ratel C4 backdoors, and notably, often utilizes command-and-control (C2) infrastructure established by Storm-0365, indicating close collaboration or shared resources. This actor is characterized by hands-on-keyboard activity, culminating in the deployment of Black Basta ransomware. A resurgence in activity observed in October 2024, directly linked to Storm-1674's vishing, underscores the ongoing and adaptive threat that Storm-0506 represents within the ransomware landscape.
| 2025-03-03
⋅
Trend Micro
⋅
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal Black Basta Black Basta Cactus ReedBed |
| 2025-02-22
⋅
CrowdStrike
⋅
Wandering Spider Black Basta Black Basta GOLD REBELLION |
| 2024-12-04
⋅
Rapid7
⋅
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware Black Basta Cobalt Strike DarkGate SystemBC Zloader |
| 2024-11-09
⋅
Youtube (Microsoft Security Response Center (MSRC))
⋅
BlueHat 2024: S17: MSTIC - A Threat Intelligence Year in Review Storm-0506 TA2101 |
| 2024-10-25
⋅
Reliaquest
⋅
ReliaQuest Uncovers New Black Basta Social Engineering Technique Black Basta |
| 2024-10-24
⋅
Microsoft
⋅
Tweet about Storm-0506 and Black Basta Storm-0506 |
| 2024-08-12
⋅
Rapid7
⋅
Ongoing Social Engineering Campaign Refreshes Payloads Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC |
| 2024-07-29
⋅
Microsoft
⋅
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption Black Basta Black Basta Storm-0506 |
| 2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta UNC4393 |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta |
| 2024-05-15
⋅
Stairwell
⋅
Stairwell threat report: Black Basta overview and detection rules Black Basta Black Basta |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot UNC4393 |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot SystemBC |
| 2024-05-10
⋅
CISA
⋅
AA24-131A: #StopRansomware: Black Basta Black Basta Black Basta |
| 2024-05-10
⋅
Rapid7 Labs
⋅
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators Black Basta Black Basta Cobalt Strike NetSupportManager RAT |
| 2024-02-28
⋅
Security Intelligence
⋅
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023 404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos |
| 2024-02-21
⋅
Microsoft
⋅
Exploit:Python/CVE-2024-1709.A!dha Storm-0506 |
| 2023-12-30
⋅
Rewterz Information Security
⋅
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs EugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT Storm-0506 |
| 2023-11-16
⋅
YouTube (Swiss Cyber Storm)
⋅
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware Black Basta |
| 2023-06-27
⋅
SecurityIntelligence
⋅
The Trickbot/Conti Crypters: Where Are They Now? Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot |
| 2023-04-19
⋅
Bleeping Computer
⋅
March 2023 broke ransomware attack records with 459 incidents Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom |
| 2023-04-18
⋅
Mandiant
⋅
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
| 2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
| 2023-03-20
⋅
PWC
⋅
Cyber Threats 2022: A Year in Retrospect Black Basta Black Basta Earth Lusca GOLD REBELLION |
| 2023-03-15
⋅
Reliaquest
⋅
QBot: Laying the Foundations for Black Basta Ransomware Activity Black Basta QakBot |
| 2023-01-25
⋅
Quadrant Information Security
⋅
Technical Analysis: Black Basta Malware Overview Black Basta Black Basta |
| 2023-01-23
⋅
Kroll
⋅
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
| 2022-12-01
⋅
Zscaler
⋅
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0 Black Basta |
| 2022-11-23
⋅
Cybereason
⋅
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
| 2022-11-03
⋅
Sentinel LABS
⋅
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor Black Basta |
| 2022-11-03
⋅
SentinelOne
⋅
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
| 2022-10-12
⋅
Trend Micro
⋅
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
| 2022-09-08
⋅
Sentinel LABS
⋅
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection AgendaCrypt Black Basta BlackCat PLAY |
| 2022-09-01
⋅
Trend Micro
⋅
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta |
| 2022-08-22
⋅
Microsoft
⋅
Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-07-20
⋅
Kaspersky
⋅
Luna and Black Basta — new ransomware for Windows, Linux and ESXi Black Basta Conti |
| 2022-06-30
⋅
Trend Micro
⋅
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
| 2022-06-28
⋅
GBHackers on Security
⋅
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks Black Basta |
| 2022-06-06
⋅
NCC Group
⋅
Shining the Light on Black Basta Black Basta |
| 2022-06-01
⋅
Avertium
⋅
An In-Depth Look At Black Basta Ransomware Black Basta |
| 2022-05-26
⋅
IBM
⋅
Black Basta Besting Your Network? Black Basta |
| 2022-05-20
⋅
AdvIntel
⋅
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive |
| 2022-05-09
⋅
Trend Micro
⋅
Examining the Black Basta Ransomware’s Infection Routine Black Basta |
| 2022-04-29
⋅
The Record
⋅
German wind farm operator confirms cybersecurity incident Black Basta BlackCat |
| 2022-04-27
⋅
BleepingComputer
⋅
New Black Basta ransomware springs into action with a dozen breaches Black Basta |
| 2022-04-26
⋅
Bleeping Computer
⋅
American Dental Association hit by new Black Basta ransomware Black Basta |