Credential Theft
- Mimikatz
Black Basta is a ransomware family and ransomware-as-a-service operation that emerged in 2022 and rapidly became a major extortion threat to enterprises and critical infrastructure organizations worldwide.
Profile source: Mallory opens in a new tabBlack Basta
Black Basta is a ransomware family and ransomware-as-a-service operation that emerged in 2022 and rapidly became a major extortion threat to enterprises and critical infrastructure organizations worldwide. It has been associated with large-scale victimization across multiple industries, including sectors with low tolerance for downtime, and has targeted organizations in numerous U.S. critical infrastructure sectors. The operation is widely assessed as part of the post-Conti Russian-speaking ransomware ecosystem, with reporting and leaked internal communications indicating overlap in personnel, tradecraft, and tooling with other major criminal groups.
Black Basta intrusions commonly combine data theft and file encryption as part of a double-extortion model. Operators are known to conduct deliberate victim profiling before deployment, evaluating factors such as revenue, operational dependence, cyber insurance, and the sensitivity of stolen information in order to tailor ransom demands and negotiation strategy. The group has also been linked to pressure tactics beyond encryption and exfiltration, including harassment and operational disruption intended to increase the likelihood of payment.
Initial access associated with Black Basta has included phishing and malware delivery through malicious Office documents, exploitation of vulnerabilities, use of exposed remote access services, and purchases from initial access brokers. More recent activity linked to Black Basta and closely aligned clusters has prominently used social engineering: victims are first overwhelmed with spam or subscription emails, then contacted through Microsoft Teams or by phone by attackers impersonating IT support, who persuade them to launch remote assistance tools such as Quick Assist. Once access is obtained, operators deploy additional tooling, establish persistence, harvest credentials, perform reconnaissance, and move laterally before attempting ransomware execution.
On Windows systems, Black Basta has been observed creating new services for persistence and modifying the Registry, including changes that support execution in Safe Mode and alter the appearance of encrypted files. Reporting also links Black Basta-associated activity to credential theft, keylogging, network scanning, and lateral movement in pre-ransomware phases. The group has used a broad ecosystem of loaders, backdoors, and post-exploitation tooling, and leaked chats indicate reliance on outsourced specialists and rented malware services as part of a mature criminal operating model.
Black Basta has also operated Linux encryptors, reflecting the broader ransomware trend toward targeting virtualized and server environments in addition to Windows endpoints. Public reporting describes the group as a highly organized extortion enterprise with structured internal roles, negotiation processes, and affiliate-style operations. By 2025, leaks of internal chats exposed extensive details about its targeting, negotiations, internal disputes, and possible rebranding or migration of members to other ransomware operations such as Cactus.
Ransomware.live
Reported operators
It is the signature opening move of cyber-criminal crews linked to the notorious Black Basta ransomware operation, alongside a rising tide of copycats executing the same play.
Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.
For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
BlackBasta was one of the most active ransomware groups since it launched in February 2022 as a successor to the notorious Conti ransomware gang.
In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.
Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...
"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."
"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."
"Black Basta ransomware emerged in April 2022..."
“A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself… the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”
Early tactics in the attack align with those of “Storm-1811” (aka “STAC5777”), a threat group known to deploy “Black Basta” ransomware.
"...a financially motivated cluster Microsoft has linked to Black Basta ransomware operations."; "...eventually Black Basta ransomware."
Exploited software
MITRE ATT&CK
Reporting
The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.
Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016...
Oleg Nefedov, alleged founder of Black Basta and publicly named after the leak of the group’s internal chats...
Researchers examining leaked internal communications from the Black Basta ransomware operation found similarly prolonged bargaining, with initial multimillion-dollar demands eventually ending in substantially lower settlements.
It is the signature opening move of cyber-criminal crews linked to the notorious Black Basta ransomware operation, alongside a rising tide of copycats executing the same play.
According to our analysis, Black Basta members carefully studied victims to launch advanced phishing and malware campaigns, exploit vulnerabilities and intimidate victims into paying via panic-triggering tactics.
Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.
BlackBasta, which had operated as a successor to the notorious Conti ransomware group since February 2022, collapsed in February 2025 after its internal chat logs were leaked online.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.