Threat ActorBlackBasta Ransomware
Description
Black Basta (BlackBasta) is a ransomware group that emerged in early 2022. Before encrypting files in the victim's environment, the group exfiltrates information. It then demands a ransom to decrypt the affected files, threatening to release the exfiltrated data if the ransom is not paid. The group has its own TOR site (Basta News) where it publishes stolen information from victims. It has affected organizations across multiple industries in multiple countries.
Aliases
- BlackBasta
Targeted Industries
- Agriculture
- Business Services
- Construction
- Consumer Services
- Education
- Energy
- Utilities & Waste
- Finance
- Government
- Healthcare Services
- Holding Companies & Conglomerates
- Hospitality
- Hospitals & Physicians Clinics
- Insurance
- Law Firms & Legal Services
- Manufacturing
- Media & Internet
- Minerals & Mining
- Membership Organizations
- Real Estate
- Retail
- Software
- Telecommunications
- Transportation
Objectives
Financial Gain
Known Tools Used
- Chmod
- CobaltStrike
- PowerShell
- Psexec
- Qakbot
- Windows Command Shell
- WMI
Known Infection Vectors
- Phishing
References
Ransomware Roundup: BlackBasta (Fortinet)
https://www.fortinet.com/jp/blog/threat-research/ransomware-roundup-black-basta
New Ransomware "BlackBasta" in the Wild (Fortinet)
https://www.fortiguard.com/threat-signal-report/4518/new-ransomware-black-basta-in-the-wild
BlackBasta (MITRE)
https://attack.mitre.org/software/S1070/
