Huseyin Can YUCEEL | 1 MIN READ

LAST UPDATED ON OCTOBER 17, 2025

Black Basta Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

Black Basta is a relatively new entrant to the Ransomware as a Service market, yet it has already claimed close to 50 victims across multiple sectors. The operation partners with the QakBot, also known as Qbot, ecosystem to deliver payloads and establish footholds, which gives affiliates a steady stream of compromised endpoints and credentials. Black Basta maintains variants that target Windows, Linux, and VMware ESXi images, enabling impact across mixed enterprise environments and virtualized infrastructure. The group follows a double extortion model, exfiltrating sensitive data before encryption to increase leverage during negotiations. Notably, a series of attacks against dental associations in the United States resulted in the theft and encryption of personally identifiable information from members of the American Dental Association as well as the New York, Virginia, and Florida State Dental Associations.

Affiliates typically gain initial access through QakBot enabled phishing campaigns, exploitation of internet facing services, or valid accounts purchased from initial access brokers. Once inside, operators conduct discovery, escalate privileges, and move laterally using living off the land techniques and common administrative tools. Backups and shadow copies are often removed, security agents are disabled where possible, and sensitive files are staged for exfiltration before the ransomware is deployed. Leak sites are used to pressure victims by previewing stolen data. Organizations can reduce risk by enforcing multifactor authentication for remote and privileged access, patching exposed services and hypervisors, segmenting critical systems, maintaining tested offline backups, and monitoring for suspicious data movement and mass encryption behavior. Continuous validation of detection and response controls helps confirm readiness to detect and contain Black Basta activity before it reaches the data theft and encryption stages.

Metadata

Associated Groups

-

Associated Country

Russia

First Seen

April 2022

Target Sectors

Automotive, Construction, Cosmetics, Energy, Healthcare, Heating, Manufacturing, Pharmaceuticals, Plumbing, Telecommunication, Transportation, Textile

Target Countries

United States, Australia, Canada, India, New Zealand, Singapore, United Arab Emirates, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-service (RaaS)

Double Extortion

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by Black Basta

Application

Vulnerability

CVE

CVSS

Windows Print Spooler

Remote Code Execution

CVE-2021-34527

8.8 High

Utilized Tools and Malware by Black Basta

MITRE ATT&CK Tactic

Tools

Initial Access 

QakBot

Execution

Cobalt Strike

Persistence

Cobeacon Backdoor

Privilege Execution

Mimikatz

Defence Evasion

Coroxy
bcdedit

Discovery

Cobalt Strike

Lateral Movement

netcat

Exflitration

Mega

Google Drive

Impact

vssadmin 

Black Basta Ransomware

  • [1]     F. Fkie, “QakBot (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot. [Accessed : Jul. 07, 2022]

  • [2]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [3]     “Backdoor.Win32.COBEACON.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.cobeacon.a. [Accessed: Jul. 07, 2022]

  • [4]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [5]     “Trojan.Win32.COROXY.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.coroxy.a/. [Accessed: Jul. 07, 2022]

  • [6]     H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).

  • [7]     G. Giacobbi, “The GNU Netcat -- Official homepage.” [Online]. Available: http://netcat.sourceforge.net. [Accessed: Jul. 07, 2022]

  • [8]       S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).

  • [9]     F. Fkie, “Black Basta (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta. [Accessed: Jul. 07, 2022]

Table of Contents