Black Basta

Background

Black Basta is a ransomware-as-a-service (RaaS) operation that emerged in April 2022, immediately following the dissolution of the Conti ransomware group. Security researchers and the leaked Conti chat logs indicate that Black Basta was formed by former Conti members, likely including senior leadership. The group rapidly established itself as one of the most active and sophisticated ransomware operations, compromising over 500 organizations worldwide within its first two years of operation.

Black Basta operates with a high degree of sophistication and operational security. The group is selective about its affiliates and does not publicly advertise its program on cybercrime forums like many RaaS operations. Instead, recruitment appears to occur through trusted networks and direct outreach. This selective approach has resulted in consistently high-quality attacks against large organizations, with ransom demands typically ranging from $1 million to $10 million.

By early 2024, Black Basta had been linked to more than 500 confirmed victims across at least 12 critical infrastructure sectors, prompting a joint advisory from CISA, the FBI, HHS, and MS-ISAC. The group has been notably resilient, adapting its methods multiple times when initial access vectors were disrupted, such as after the FBI's takedown of the Qakbot botnet in August 2023. Internal chat logs leaked in early 2025 revealed further organizational details and confirmed links to Conti operations.

Notable Campaigns

Ascension Health (May 2024): Black Basta attacked Ascension, one of the largest private healthcare systems in the U.S. operating 140 hospitals across 19 states. The attack disrupted electronic health records, phone systems, and clinical workflows, forcing hospitals to divert ambulances and revert to manual record-keeping. The incident affected patient care for weeks and highlighted the ongoing vulnerability of healthcare systems to ransomware.

ABB Ltd (May 2023): Swiss-Swedish automation technology company ABB, a Fortune 500 company with approximately $30 billion in revenue, was compromised by Black Basta. The attack disrupted business operations and affected the company's Windows Active Directory environment. ABB confirmed that data was exfiltrated and systems were encrypted across multiple locations.

Capita (March 2023): Black Basta attacked Capita, a major UK outsourcing company that provides critical services to the UK government, including the administration of pension schemes and military recruitment. The attack disrupted services for numerous public and private sector clients and resulted in significant data exposure. Remediation costs exceeded $25 million.

Toronto Public Library (October 2023): Black Basta compromised the Toronto Public Library, one of the world's largest library systems serving 1.2 million active cardholders. The attack disrupted all online services, public computers, printing systems, and digital collections for months. Employee personal data was stolen and published on the leak site.

Southern Water (February 2024): UK water utility Southern Water, serving 2.5 million customers, was attacked by Black Basta. The group claimed to have stolen 750GB of data including customer and employee personal information. The attack raised concerns about critical infrastructure vulnerability in the water sector.

Tactics, Techniques & Procedures

Black Basta has demonstrated remarkable adaptability in initial access methods. Initially, the group relied heavily on Qakbot malware distributed via phishing emails. After the FBI disrupted Qakbot in August 2023, Black Basta pivoted to alternative loaders including DarkGate, PikaBot, and direct phishing campaigns. In 2024, the group adopted a creative social engineering approach: flooding target employees' email inboxes with newsletter subscriptions, then impersonating IT help desk staff to "resolve" the issue, during which they convinced victims to install remote access tools.

Post-compromise, Black Basta follows a methodical approach. They establish persistence using SystemBC as a proxy tunnel, deploy Cobalt Strike or Brute Ratel C4 for command and control, and conduct extensive Active Directory reconnaissance. The group is adept at disabling Endpoint Detection and Response (EDR) products, frequently using the BYOVD (Bring Your Own Vulnerable Driver) technique to load vulnerable kernel drivers that can terminate security processes.

Data exfiltration is performed using Rclone to cloud storage services before ransomware deployment. The Black Basta ransomware itself targets both Windows and Linux (particularly VMware ESXi) environments. On Windows, it uses GPO deployment for domain-wide distribution. On ESXi, it encrypts virtual machine disk files (VMDK), causing mass virtual machine outages. The ransomware uses ChaCha20 encryption with RSA-4096 for key management.

Tools & Malware

• Black Basta Ransomware: Cross-platform ransomware (Windows, Linux, ESXi) using ChaCha20 encryption with RSA-4096. Uses intermittent encryption for speed on large files. Deployed via GPO on Windows and SSH on Linux.
• Qakbot (QBot): Primary initial access loader (until August 2023 disruption), distributed via phishing emails with malicious attachments.
• DarkGate / PikaBot: Replacement loaders adopted after Qakbot disruption for initial access and payload delivery.
• Cobalt Strike / Brute Ratel C4: Post-exploitation frameworks for command and control and lateral movement.
• SystemBC: A SOCKS5 proxy backdoor used to establish persistent, tunneled communication channels.
• Mimikatz: Credential harvesting, particularly LSASS memory dumps and Kerberos ticket extraction.
• Rclone: Open-source cloud sync tool used for large-scale data exfiltration.
• PsExec / BITSAdmin: Legitimate Windows tools used for lateral movement and payload distribution.
• BYOVD Drivers: Vulnerable kernel drivers (e.g., from anti-cheat software) loaded to disable EDR solutions.
• ConnectWise ScreenConnect / AnyDesk: Legitimate remote access tools used for persistent access.

Indicators & Detection

Black Basta-encrypted files carry a .basta extension, and ransom notes named readme.txt are placed in each encrypted directory. The group's dark web leak site features a minimalist design with victim names and countdowns. On ESXi systems, look for encrypted .vmdk files and a ransom note in the /tmp/ directory.

Detection of the email bombing social engineering technique requires monitoring for: sudden spikes in email volume to individual employees (newsletter/subscription spam); followed by inbound calls or Teams messages from external contacts claiming to be IT support; and subsequent installation of remote access software (Quick Assist, AnyDesk, ScreenConnect). Train help desk staff to verify caller identity through established procedures.

Network monitoring should prioritize detection of SystemBC proxy traffic (distinctive patterns in SOCKS5 communication), Rclone data exfiltration to cloud storage (look for rclone process execution with configuration files), and Cobalt Strike/Brute Ratel beacons. Endpoint detection should focus on BYOVD attacks (loading of unsigned or vulnerable kernel drivers), GPO modifications that deploy executables domain-wide, and mass service termination targeting backup and database services. Segment ESXi management interfaces from general network access and restrict SSH access to authorized management systems only.