Black Basta Ransomware

The Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022.

In a joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the agencies said the threat actors encrypted and stole data from at least 12 out of 16 critical infrastructure sectors.

“Black Basta affiliates use common initial access techniques — such as phishing and exploiting known vulnerabilities — and then employ a double-extortion model, both encrypting systems and exfiltrating data,” the bulletin read.

Unlike other ransomware groups, the ransom notes dropped at the end of the attack do not contain an initial ransom demand or payment instructions. Rather, the notes provide victims with a unique code and instruct them to contact the gang via a .onion URL.

Black Basta was first observed in the wild in April 2022 using QakBot as an initial vector, and has remained a highly active ransomware actor since then.

Statistics collected by Malwarebytes show that the group has been linked to 28 of the 373 confirmed ransomware attacks that took place in April 2024. According to Kaspersky, it was the 12th most active family in 2023. Black Basta has also witnessed an increase in activity in Q1 2024, spiking 41% quarter-over-quarter.


There is evidence to suggest that the Black Basta operators have ties to another cybercrime group tracked as FIN7, which has shifted to conducting ransomware attacks since 2020.

Attack chains involving the ransomware have relied on tools such as SoftPerfect network scanner for network scanning, BITSAdmin, Cobalt Strike beacons, ConnectWise ScreenConnect, and PsExec for lateral movement, Mimikatz for privilege escalation, and RClone for data exfiltration prior to encryption.

Other methods used to obtain elevated privileges include the exploitation of security flaws like ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare (CVE-2021-34527).

Select instances have also entailed the deployment of a tool called Backstab to disable endpoint detection and response (EDR) software. It’s worth noting that Backstab has also been employed by LockBit affiliates in the past.

The final step entails the encryption of files using a ChaCha20 algorithm with an RSA-4096 public key, but not before deleting volume shadow copies via the vssadmin.exe program to inhibit system recovery.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the agencies said.

The development comes as a CACTUS ransomware campaign has continued to exploit security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain initial access to target environments.

A new analysis by NCC Group’s Fox-IT team has revealed that 3,143 servers are still at risk of CVE-2023-48365 (ak DoubleQlik), with a majority of them located in the U.S., Italy, Brazil, the Netherlands, and Germany as of April 17, 2024.

The ransomware landscape is in a state of flux, registering an 18% decline in activity in Q1 2024 compared to the previous quarter, primarily led by law enforcement operations against ALPHV (aka BlackCat) and LockBit.

With LockBit suffering from significant reputational setbacks among affiliates, it’s suspected that the group will attempt to most likely rebrand. “The DarkVault ransomware group is a possible successor group to LockBit,” cybersecurity firm ReliaQuest said, citing similarities with LockBit’s branding.


Some of the other new ransomware groups that made their appearance in recent weeks comprise APT73, DoNex, DragonForce, Hunt (a Dharma/Crysis ransomware variant), KageNoHitobito, Megazord, Qiulong, Rincrypt, and Shinra.

The “diversification” of ransomware strains and “the ability to quickly adapt and rebrand in the face of adversity speaks to the resilient dynamic nature of threat actors in the ransomware ecosystem,” blockchain analytics firm Chainalysis said, highlighting a 46% decrease in ransom payments in 2023.

This is corroborated by findings from Veeam-owned Coveware, which said the proportion of victims that chose to pay touched a new record low of 28% in Q1 2024. The average ransom payment for the time period stood at $381,980, a 32% drop from Q4 2023.

The downturn has been further complemented by victims increasingly refusing to pay the initial amount demanded, per a global survey of 5,000 organizations carried out as part of the Sophos State of Ransomware 2024 report released last month.

“1,097 respondents whose organization paid the ransom shared the actual sum paid, revealing that the average (median) payment has increased 5-fold over the last year, from $400,000 to $2 million,” the company said.

“While the ransom payment rate has increased, only 24% of respondents say that their payment matched the original request. 44% paid less than the original demand, while 31% paid more.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.