SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackbasta (Back to overview)

Black Basta

aka: no_name_software

Actor(s): GOLD REBELLION, STAC5143, Storm-0506, Storm-0826, TA2101, UNC3973, UNC4393

VTCollection    

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

References
2025-04-24MandiantMandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC
2025-04-16SpyCloudAurora Johnson, Keegan Keplinger
Exposed Credentials & Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats
Black Basta Black Basta
2025-04-15Orange CyberdefenseAndré Henschel, Friedl Holzner
CyberSOC Insights: Analysis of a Black Basta Attack Campaign
Black Basta DarkGate Lumma Stealer
2025-04-08TrustwaveNikita Kazymirskyi, Serhii Melnyk
A deep Dive into the Leaked Black Basta Chat Logs
Black Basta Black Basta
2025-04-02ANALYST1analyst1
Inside BlackBasta: Actor Profiles, Extortion Tactics & Finances
Black Basta Black Basta
2025-04-02Intel 471Intel 471
An in-depth look at Black Basta's TTPs
Black Basta Black Basta
2025-03-18ExpelAARON WALTON
Code-signing certificate abuse in the Black Basta chat leaks (and how to fight back)
Black Basta Black Basta
2025-03-18TrellixJambul Tologonov, John Fokker
Analysis of Black Basta Ransomware Chat Leaks
Black Basta Black Basta
2025-03-17CloudflareCloudflare
Black Basta’s blunder: exploiting the gang’s leaked chats
Black Basta Black Basta
2025-03-13EclecticIQArda Büyükkaya
Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices
Black Basta
2025-03-12Youtube (AhmedS Kasmani)AhmedS Kasmani
Initial Analysis of Black Basta Chat Leaks
Black Basta Black Basta
2025-03-12YouTube (John Hammond)John Hammond
LEAKED Russian Hackers Internal Chats
Black Basta Black Basta
2025-03-10LevelBlueKen Ng
Prevent, Detect, Contain: LevelBlue MDR’s Guide Against Black Basta Affiliates’ Attacks
Black Basta Black Basta ReedBed
2025-03-06flareEstelle Ruellan, Oleg Lypko, Tammy Harper
Deciphering Black Basta’s Infrastructure from the Chat Leak
Black Basta Black Basta
2025-03-05eSentireSpence Hutchinson
Initial Takeaways from the Black Basta Chat Leaks
Black Basta Black Basta
2025-03-04Medium (A-poc)A-poc
Black Basta Leak Analysis
Black Basta Black Basta
2025-03-03Trend MicroAdam O'Connor, Catherine Loveria, Gabriel Cardoso, Ian Kenefick, Jack Walsh, Jovit Samaniego, Lucas Silva, Stephen Carbery
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
Black Basta Black Basta Cactus ReedBed
2025-03-02ropgadget.comJeff White
Pivoting on Black Basta's (leaked) Infrastructure
Black Basta Black Basta
2025-03-01LeMagITValéry Rieß-Marchive
Ransomware : de REvil à Black Basta, que sait-on de Tramp ?
Black Basta Black Basta
2025-02-28Medium walmartglobaltechJoshua Platt
Agent AI, Basta Parser Extraordinaire
Black Basta Black Basta
2025-02-28Intel 471Intel 471
Black Basta exposed: A look at a cybercrime data leak
Black Basta Black Basta
2025-02-27BushidoTokenwilliam thomas
BlackBasta Leaks: Lessons from the Ascension Health attack
Black Basta
2025-02-26OntinueBalazs Greksza, Domenico de Vitto, Manupriya Sharma, Rhys Downing
Inside BlackBasta: What Leaked Conversations Reveal About Their Ransomware Operations
Black Basta Black Basta
2025-02-22CrowdStrikeCrowdStrike
Wandering Spider
Black Basta Black Basta GOLD REBELLION
2025-01-31ConnectWiseBlake Eakin
Attackers Leveraging Microsoft Teams Defaults and Quick Assist for Social Engineering Attacks
Black Basta Black Basta ReedBed
2025-01-30eSentireeSentire
Ongoing Email Bombing Campaigns leading to Remote Access and Post-Exploitation
Black Basta ReedBed UNC4393
2024-12-04Rapid7Tyler McGraw
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Black Basta Cobalt Strike DarkGate SystemBC Zloader
2024-10-25ReliaquestRELIAQUEST THREAT RESEARCH TEAM
ReliaQuest Uncovers New Black Basta Social Engineering Technique
Black Basta
2024-08-12Rapid7Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC
2024-07-29MicrosoftCharles-Edouard Bettan, Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Vaibhav Deshmukh
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Black Basta Black Basta Storm-0506
2024-07-29MandiantAshley Pearson, Jake Nicastro, Joseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong
UNC4393 Goes Gently into the SILENTNIGHT
Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393
2024-06-12SymantecSymantec Threat Hunter Team
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Black Basta UNC4393
2024-06-12SymantecSymantec Threat Hunter Team
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Black Basta
2024-05-15StairwellThreat Research at Stairwell
Stairwell threat report: Black Basta overview and detection rules
Black Basta Black Basta
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot SystemBC
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot UNC4393
2024-05-10Rapid7 LabsEvan McCann, Thomas Elkins, Tyler McGraw
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Black Basta Black Basta Cobalt Strike NetSupportManager RAT
2024-05-10CISACISA
AA24-131A: #StopRansomware: Black Basta
Black Basta Black Basta
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2023-11-16YouTube (Swiss Cyber Storm)Angelo Violetti
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware
Black Basta
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-04-19Bleeping ComputerBill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-20PWCPWC
Cyber Threats 2022: A Year in Retrospect
Black Basta Black Basta Earth Lusca GOLD REBELLION
2023-03-15ReliaquestRELIAQUEST THREAT RESEARCH TEAM
QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot
2023-01-25Quadrant Information SecurityQuadrant Information Security
Technical Analysis: Black Basta Malware Overview
Black Basta Black Basta
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2022-12-01ZscalerZscaler
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0
Black Basta
2022-11-23CybereasonCybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-03Sentinel LABSAntonio Cocomazzi
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
Black Basta
2022-11-03SentinelOneSentinelLabs
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-01Trend MicroTrend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-08-15SecurityScorecardVlad Pasca
A Deep Dive Into Black Basta Ransomware
Black Basta
2022-08-15SecurityScorecardVlad Pasca
A Deep Dive Into Black Basta Ransomware
Black Basta
2022-07-20KasperskyDmitry Galov, Jornt van der Wiel, Marc Rivero López, Sergey Lozhkin
Luna and Black Basta — new ransomware for Windows, Linux and ESXi
Black Basta Conti
2022-06-30Trend MicroEmmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28GBHackers on SecurityGurubaran S
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks
Black Basta
2022-06-06NCC GroupPeter Gurney, Ross Inman
Shining the Light on Black Basta
Black Basta
2022-06-01AvertiumAvertium
An In-Depth Look At Black Basta Ransomware
Black Basta
2022-05-26IBMDave McMillen, Kevin Henson
Black Basta Besting Your Network?
Black Basta
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09Trend MicroIeriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales
Examining the Black Basta Ransomware’s Infection Routine
Black Basta
2022-04-29The RecordJonathan Greig
German wind farm operator confirms cybersecurity incident
Black Basta BlackCat
2022-04-27BleepingComputerBleepingComputer
New Black Basta ransomware springs into action with a dozen breaches
Black Basta
2022-04-26Bleeping ComputerLawrence Abrams
American Dental Association hit by new Black Basta ransomware
Black Basta
Yara Rules
[TLP:WHITE] win_blackbasta_auto (20241030 | Detects win.blackbasta.)
rule win_blackbasta_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.blackbasta."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b3403 85f6 0f856f010000 eb02 33f6 80791400 7410 }
            // n = 7, score = 100
            //   8b3403               | mov                 esi, dword ptr [ebx + eax]
            //   85f6                 | test                esi, esi
            //   0f856f010000         | jne                 0x175
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   80791400             | cmp                 byte ptr [ecx + 0x14], 0
            //   7410                 | je                  0x12

        $sequence_1 = { e9???????? c7456001000000 83fe01 0f86ff000000 90 8d4548 50 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   c7456001000000       | mov                 dword ptr [ebp + 0x60], 1
            //   83fe01               | cmp                 esi, 1
            //   0f86ff000000         | jbe                 0x105
            //   90                   | nop                 
            //   8d4548               | lea                 eax, [ebp + 0x48]
            //   50                   | push                eax

        $sequence_2 = { 8b450c 83c01c 50 8d4920 e8???????? 8b450c 8b4df0 }
            // n = 7, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83c01c               | add                 eax, 0x1c
            //   50                   | push                eax
            //   8d4920               | lea                 ecx, [ecx + 0x20]
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_3 = { 56 8d581c 8d6804 7442 6a00 8bcb }
            // n = 6, score = 100
            //   56                   | push                esi
            //   8d581c               | lea                 ebx, [eax + 0x1c]
            //   8d6804               | lea                 ebp, [eax + 4]
            //   7442                 | je                  0x44
            //   6a00                 | push                0
            //   8bcb                 | mov                 ecx, ebx

        $sequence_4 = { 53 56 57 8bf9 8b37 85f6 747a }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   85f6                 | test                esi, esi
            //   747a                 | je                  0x7c

        $sequence_5 = { 56 51 6a01 8bcb ff5034 8b03 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   8bcb                 | mov                 ecx, ebx
            //   ff5034               | call                dword ptr [eax + 0x34]
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_6 = { c7471400000000 e8???????? c7461000000000 83c40c c746140f000000 c60600 be08000000 }
            // n = 7, score = 100
            //   c7471400000000       | mov                 dword ptr [edi + 0x14], 0
            //   e8????????           |                     
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   83c40c               | add                 esp, 0xc
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c60600               | mov                 byte ptr [esi], 0
            //   be08000000           | mov                 esi, 8

        $sequence_7 = { 8d957cffffff 52 8d95d4feffff 52 ff5024 8b8dd0feffff 8d957cffffff }
            // n = 7, score = 100
            //   8d957cffffff         | lea                 edx, [ebp - 0x84]
            //   52                   | push                edx
            //   8d95d4feffff         | lea                 edx, [ebp - 0x12c]
            //   52                   | push                edx
            //   ff5024               | call                dword ptr [eax + 0x24]
            //   8b8dd0feffff         | mov                 ecx, dword ptr [ebp - 0x130]
            //   8d957cffffff         | lea                 edx, [ebp - 0x84]

        $sequence_8 = { c7855cfeffff980a0a10 e8???????? 57 8d8d78feffff c745fc09000000 }
            // n = 5, score = 100
            //   c7855cfeffff980a0a10     | mov    dword ptr [ebp - 0x1a4], 0x100a0a98
            //   e8????????           |                     
            //   57                   | push                edi
            //   8d8d78feffff         | lea                 ecx, [ebp - 0x188]
            //   c745fc09000000       | mov                 dword ptr [ebp - 4], 9

        $sequence_9 = { 8975f0 c706???????? c74604???????? c74608???????? c7462060ed0910 c745fcffffffff e8???????? }
            // n = 7, score = 100
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   c706????????         |                     
            //   c74604????????       |                     
            //   c74608????????       |                     
            //   c7462060ed0910       | mov                 dword ptr [esi + 0x20], 0x1009ed60
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1758208
}
[TLP:WHITE] win_blackbasta_w0   (20220722 | Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.)
rule win_blackbasta_w0 {
   meta:
      description = "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates."
      author = "rcoliveira@protonmail.com"
      reference_1 = "https://securelist.com/luna-black-basta-ransomware/106950/"
      reference_2 = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      hash_1 = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be"
      hash_2 = "0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef"
      date = "2022-07-21"
      sharing = "TLP:WHITE"
      malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta"
      malpedia_version = "20220722"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
   strings:
      $s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion" fullword ascii
      $s2 = "Your data are stolen and encrypted" fullword ascii
      $s3 = "The data will be published on TOR website if you do not pay the ransom" fullword ascii
      $s4 = "Input is not valid base64-encoded data." fullword ascii
      $s5 = "(you should download and install TOR browser first https://torproject.org)" fullword ascii
      $a1 = "_Z12EncryptBytesP8Chacha20PhS1_S1_i" fullword ascii
      $a2 = "_Z21GetEncryptedNextBlockP8Chacha20PN3ghc10filesystem13basic_fstreamIcSt11char_traitsIcEEEPhS8_ixS8_" fullword ascii /* score: '17.00'*/
      $a3 = "_ZNSt10_HashtableISsSt4pairIKSsPcESaIS3_ENSt8__detail10_Select1stESt8equal_toISsESt4hashISsENS5_18_Mod_range_hashingENS5_20_Default_ranged_hashENS5_20_Prime_rehash_policyENS5_17_Hashtable_traitsILb1ELb0ELb1EEEE21_M_insert_unique_nodeEmmPNS5_10_Hash_nodeIS3_Lb1EEE" fullword ascii
      $a4 = "_ZNSt8__detail9_Map_baseISsSt4pairIKSsPcESaIS4_ENS_10_Select1stESt8equal_toISsESt4hashISsENS_18_Mod_range_hashingENS_20_Default_ranged_hashENS_20_Prime_rehash_policyENS_17_Hashtable_traitsILb1ELb0ELb1EEELb1EEixEOSs" fullword ascii
      $a5 = "_ZN3ghc10filesystem4path28postprocess_path_with_formatENS1_6formatE" fullword ascii
      $a6 = "C:/Users/dssd/Desktop/src" fullword ascii
      $a7 = "totalBytesEncrypted" fullword ascii
   condition:
      filesize < 600KB and
      (1 of ($s*) and 1 of ($a*) ) or (8 of them)
}
Download all Yara Rules