S1070 Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.356142
| Item | Value |
|---|---|
| ID | S1070 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 08 March 2023 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Black Basta has used PowerShell scripts for discovery and to execute files over the network.894 |
| enterprise | T1059.003 | Windows Command Shell | Black Basta can use cmd.exe to enable shadow copy deletion.5 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Black Basta can create a new service to establish persistence.61 |
| enterprise | T1486 | Data Encrypted for Impact | Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.61024115397 Black Basta has also encrypted files while the victim system is in safe mode, appending .basta upon completion.8 |
| enterprise | T1622 | Debugger Evasion | The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.7 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | Black Basta has set the desktop wallpaper on victims’ machines to display a ransom note.6102814537 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.002 | Mutual Exclusion | Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.5 |
| enterprise | T1083 | File and Directory Discovery | Black Basta can enumerate specific files for encryption.214115397 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | The Black Basta binary can use chmod to gain full permissions to targeted files.11 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.009 | Safe Mode Boot | Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.62813 |
| enterprise | T1490 | Inhibit System Recovery | Black Basta can delete shadow copies using vssadmin.exe.6281453997 |
| enterprise | T1680 | Local Storage Discovery | Black Basta can enumerate volumes.62 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Black Basta has established persistence by creating a new service named FAX after deleting the legitimate service by the same name.628 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | The Black Basta dropper has mimicked an application for creating USB bootable drivers.7 |
| enterprise | T1112 | Modify Registry | Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence.628453 |
| enterprise | T1106 | Native API | Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.62178 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.001 | Binary Padding | Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.7 |
| enterprise | T1018 | Remote System Discovery | Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.7 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.7 |
| enterprise | T1082 | System Information Discovery | Black Basta can collect system boot configuration and CPU information.62 |
| enterprise | T1007 | System Service Discovery | Black Basta can check whether the service name FAX is present.2 |
| enterprise | T1529 | System Shutdown/Reboot | Black Basta has used ShellExecuteA to shut down and restart the victim system.8 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Black Basta has been downloaded and executed from malicious Excel files.89 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Black Basta can make a random number of calls to the kernel32.beep function to hinder log analysis.7 |
| enterprise | T1497.001 | System Checks | Black Basta can check system flags and libraries, process timing, and API’s to detect code emulation or sandboxing.37 |
| enterprise | T1047 | Windows Management Instrumentation | Black Basta has used WMI to execute files over the network.4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1046 | Storm-1811 | Storm-1811 is associated with the deployment of Black Basta ransomware.1213 |
References
-
Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. ↩↩↩↩↩↩↩
-
Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. ↩↩↩↩↩↩↩↩
-
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. ↩↩↩↩↩↩↩↩
-
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. ↩↩↩↩↩↩↩↩
-
Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. ↩↩↩↩↩↩↩↩↩↩↩
-
Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. ↩↩↩↩↩↩↩↩↩↩
-
Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023. ↩↩↩↩↩↩
-
Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023. ↩↩
-
Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023. ↩↩↩
-
Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025. ↩
-
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. ↩