Skip to content
Ransomware group LinuxWindows

Black Basta

Black Basta is a ransomware family and ransomware-as-a-service operation that emerged in 2022 and rapidly became a major extortion threat to enterprises and critical infrastructure organizations worldwide.

Profile source: Mallory opens in a new tab

Black Basta

Family profile

Black Basta is a ransomware family and ransomware-as-a-service operation that emerged in 2022 and rapidly became a major extortion threat to enterprises and critical infrastructure organizations worldwide. It has been associated with large-scale victimization across multiple industries, including sectors with low tolerance for downtime, and has targeted organizations in numerous U.S. critical infrastructure sectors. The operation is widely assessed as part of the post-Conti Russian-speaking ransomware ecosystem, with reporting and leaked internal communications indicating overlap in personnel, tradecraft, and tooling with other major criminal groups.

Black Basta intrusions commonly combine data theft and file encryption as part of a double-extortion model. Operators are known to conduct deliberate victim profiling before deployment, evaluating factors such as revenue, operational dependence, cyber insurance, and the sensitivity of stolen information in order to tailor ransom demands and negotiation strategy. The group has also been linked to pressure tactics beyond encryption and exfiltration, including harassment and operational disruption intended to increase the likelihood of payment.

Initial access associated with Black Basta has included phishing and malware delivery through malicious Office documents, exploitation of vulnerabilities, use of exposed remote access services, and purchases from initial access brokers. More recent activity linked to Black Basta and closely aligned clusters has prominently used social engineering: victims are first overwhelmed with spam or subscription emails, then contacted through Microsoft Teams or by phone by attackers impersonating IT support, who persuade them to launch remote assistance tools such as Quick Assist. Once access is obtained, operators deploy additional tooling, establish persistence, harvest credentials, perform reconnaissance, and move laterally before attempting ransomware execution.

On Windows systems, Black Basta has been observed creating new services for persistence and modifying the Registry, including changes that support execution in Safe Mode and alter the appearance of encrypted files. Reporting also links Black Basta-associated activity to credential theft, keylogging, network scanning, and lateral movement in pre-ransomware phases. The group has used a broad ecosystem of loaders, backdoors, and post-exploitation tooling, and leaked chats indicate reliance on outsourced specialists and rented malware services as part of a mature criminal operating model.

Black Basta has also operated Linux encryptors, reflecting the broader ransomware trend toward targeting virtualized and server environments in addition to Windows endpoints. Public reporting describes the group as a highly organized extortion enterprise with structured internal roles, negotiation processes, and affiliate-style operations. By 2025, leaks of internal chats exposed extensive details about its targeting, negotiations, internal disputes, and possible rebranding or migration of members to other ransomware operations such as Cactus.

Capabilities

  • Brute Force
  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Initial Access
  • Keylogging
  • Lateral Movement
  • Persistence
  • Reconnaissance
  • Scanning

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Defense Evasion

  • Backstab (Process Explorer driver)

Discovery Enum

  • AdFind
  • Bloodhound
  • PSNmap
  • PowerView
  • SoftPerfect NetScan

Exfiltration

  • Qaz[.]im
  • RClone

LOLBAS

  • BITSAdmin
  • PsExec
  • Quick Assist

Offsec

  • Brute Ratel C4
  • Cobalt Strike
  • Metasploit
  • PowerSploit

RMM Tools

  • AnyDesk
  • Atera
  • NetSupport
  • ScreenConnect
  • Splashtop
  • Supremo

Reported operators

Threat actors

15 named in public reporting
Storm-1811

It is the signature opening move of cyber-criminal crews linked to the notorious Black Basta ransomware operation, alongside a rising tide of copycats executing the same play.

FIN7

Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022.

Conti

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

Black Basta

This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.

DEV-0506

For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly.

Tramp

Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.

Payouts King

BlackBasta was one of the most active ransomware groups since it launched in February 2022 as a successor to the notorious Conti ransomware gang.

Storm-1175

In July 2024, Microsoft also linked the Storm-1175 threat group, along with three other cybercrime gangs, to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authentication-bypass flaw.

Storm-0506

Ransomware groups—including BlackCat/ALPHV, Black Basta, RansomHub, and Dark Angels—are increasingly targeting VMware ESXi...

Scattered Spider

"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."

Indrik Spider

"In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments."

TA505

"Black Basta ransomware emerged in April 2022..."

Cardinal

“A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself… the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”

STAC5777

Early tactics in the attack align with those of “Storm-1811” (aka “STAC5777”), a threat group known to deploy “Black Basta” ransomware.

Blitz Brigantine

"...a financially motivated cluster Microsoft has linked to Black Basta ransomware operations."; "...eventually Black Basta ransomware."

Exploited software

Vulnerabilities linked to Black Basta

17 CVEs

MITRE ATT&CK

Black Basta in ATT&CK

60 distinct techniques

Techniques

60 techniques
T1082 System Information Discovery T1112 Modify Registry T1083 File and Directory Discovery T1059.001 PowerShell T1486 Data Encrypted for Impact T1059.006 Python T1543.003 Windows Service T1204.002 Malicious File T1598.004 Spearphishing Voice T1547.001 Registry Run Keys / Startup Folder T1133 External Remote Services T1562.001 Disable or Modify Tools T1041 Exfiltration Over C2 Channel T1490 Inhibit System Recovery T1566 Phishing T1021 Remote Services T1036 Masquerading T1656 Impersonation T1059.003 Windows Command Shell T1562.009 Safe Mode Boot T1036.003 Rename Legitimate Utilities T1047 Windows Management Instrumentation T1021.003 Distributed Component Object Model T1204 User Execution T1018 Remote System Discovery T1484.001 Group Policy Modification T1482 Domain Trust Discovery T1566.001 Spearphishing Attachment T1491.001 Internal Defacement T1190 Exploit Public-Facing Application T1070.004 File Deletion T1105 Ingress Tool Transfer T1553.002 Code Signing T1074 Data Staged T1529 System Shutdown/Reboot T1567 Exfiltration Over Web Service T1072 Software Deployment Tools T1057 Process Discovery T1120 Peripheral Device Discovery T1007 System Service Discovery T1068 Exploitation for Privilege Escalation T1485 Data Destruction T1491 Defacement T1562 Impair Defenses T1537 Transfer Data to Cloud Account T1078 Valid Accounts T1497 Virtualization/Sandbox Evasion T1106 Native API T1622 Debugger Evasion T1497.001 System Checks T1027.001 Binary Padding T1036.005 Match Legitimate Resource Name or Location T1480.002 Mutual Exclusion T1036.004 Masquerade Task or Service T1222.002 Linux and Mac File and Directory Permissions Modification T1680 Local Storage Discovery T1569.002 System Services: Service Execution T1098 Account Manipulation T1136 Create Account T1574.001 Hijack Execution Flow: DLL Search Order Hijacking

Reporting

Research mentioning Black Basta

Jul 17
The Hacker News

GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

The findings make CylindricalCanine the latest addition to a list of threat actors, such as Black Basta, TamperedChef (aka EvilAI), and Rhysida, that are known to abuse code-signing certificates in their cyber operations.

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016...

Jul 13
Flareio

Arrest and Sentencing Disparities Across Russian-Speaking Threat Actors - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime

Oleg Nefedov, alleged founder of Black Basta and publicly named after the leak of the group’s internal chats...

Jul 5
Cysecurity News

Report Details Alleged $1 Million Payment to Kairos After Data Theft - CySecurity News - Latest Information Security and Hacking Incidents

Researchers examining leaked internal communications from the Black Basta ransomware operation found similarly prolonged bargaining, with initial multimillion-dollar demands eventually ending in substantially lower settlements.

Jul 2
Osint Team

First Your Inbox Floods. Then ‘IT’ Messages You on Teams. | by Pop123 | Jul, 2026 | OSINT Team

It is the signature opening move of cyber-criminal crews linked to the notorious Black Basta ransomware operation, alongside a rising tide of copycats executing the same play.

Jun 30
Cyberscoop

How ransomware syndicates weaponize corporate-style organization | CyberScoop

According to our analysis, Black Basta members carefully studied victims to launch advanced phishing and malware campaigns, exploit vulnerabilities and intimidate victims into paying via panic-triggering tactics.

Jun 12
Cyberscoop

Conti ransomware group member pleads guilty, faces up to 20 years in prison | CyberScoop

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

Jun 4
Cyber Security News

Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls

BlackBasta, which had operated as a successor to the notorious Conti ransomware group since February 2022, collapsed in February 2025 after its internal chat logs were leaked online.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.