Skip to content

S1070 Black Basta

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.356142

Item Value
ID S1070
Associated Names
Version 1.0
Created 08 March 2023
Last Modified 01 May 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Black Basta has used PowerShell scripts for discovery and to execute files over the network.9104
enterprise T1059.003 Windows Command Shell Black Basta can use cmd.exe to enable shadow copy deletion.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Black Basta can create a new service to establish persistence.61
enterprise T1486 Data Encrypted for Impact Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.67241153108
enterprise T1622 Debugger Evasion The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.8
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement Black Basta has set the desktop wallpaper on victims’ machines to display a ransom note.672914538
enterprise T1083 File and Directory Discovery Black Basta can enumerate specific files for encryption.2141153108
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification The Black Basta binary can use chmod to gain full permissions to targeted files.11
enterprise T1562 Impair Defenses -
enterprise T1562.009 Safe Mode Boot Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.62913
enterprise T1490 Inhibit System Recovery Black Basta can delete shadow copies using vssadmin.exe.629145310108
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Black Basta has established persistence by creating a new service named FAX after deleting the legitimate service by the same name.629
enterprise T1036.005 Match Legitimate Name or Location The Black Basta dropper has mimicked an application for creating USB bootable drivers.8
enterprise T1112 Modify Registry Black Basta can modify the Registry to enable itself to run in safe mode and to modify the icons and file extensions for encrypted files.629453
enterprise T1106 Native API Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.6218
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.8
enterprise T1018 Remote System Discovery Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.8
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.8
enterprise T1082 System Information Discovery Black Basta can enumerate volumes and collect system boot configuration and CPU information.62
enterprise T1007 System Service Discovery Black Basta can check whether the service name FAX is present.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Black Basta has been downloaded and executed from malicious Excel files.910
enterprise T1497 Virtualization/Sandbox Evasion Black Basta can make a random number of calls to the kernel32.beep function to hinder log analysis.8
enterprise T1497.001 System Checks Black Basta can check system flags and libraries, process timing, and API’s to detect code emulation or sandboxing.38
enterprise T1047 Windows Management Instrumentation Black Basta has used WMI to execute files over the network.4