Home / Threat Intelligence bulletins / Black Basta ransomware breakdown

Target Industry

During the first half of 2022, Black Basta targeted a diverse range of private sectors including:

– Construction
– Professional Services
– Fashion
– Materials
– Manufacturing
– Transportation
– Finance
– Retail
– Media.

The diversity of targets suggests that all sectors are likely to be targets in the future.


Severity level: High – Compromise by Black Basta ransomware will almost certainly result in the encryption and theft of sensitive data and leveraged to extort the victim for financial gain.

First seen used in the wild back in April 2022, Black Basta is a ransomware gang that operates ransomware of the same name and makes money via their own exploitations, and by selling their product as a Ransomware as a Service (RaaS). RaaS allows malicious users with no indigenous tooling or infrastructure to exploit their chosen targets by renting a Black Basta licence to use in attacks. Little is known about the exact pricing of Black Basta, but most RaaS gangs price licences based on the perceived value of the intended target. Other RaaS licences have previously been distributed for as little as $100.

Black Basta is growing in popularity and can often be found on intelligence vendors’ trending pages. The gang mostly targets English speaking countries such as the UK, the US, Australia, Canada and New Zealand. However, other West European countries also appear to be high on the targeting profile.

The ransomware is written in C++ and affects both Windows and Linux operating systems, and encrypts systems as fast as possible by encrypting data in segments of 64 and 128 bytes. The aim of fast encryption is to try and compromise as much data as possible before defences are triggered and alert the user.

The main method of initial compromise for Black Basta ransomware is through spear phishing campaigns.


Successful system exploitation via Black Basta will almost certainly result in the compromise of confidentiality, availability and integrity of sensitive data and exposing the victim to extortion attempts and negative reputational impact.
In a recent ransomware attack against Pendragon, a ransom of $60M (£53M) was demanded, a sum that could soon be an average depending on the perceived net worth of the target victim.

Should the ransom threat be declined by the victim, then the attacker will highly likely publish the encrypted data on to dark web forums for others to see. This will result in a loss of company reputation and potential legal damages.

Vulnerability Detection

A comprehensive Endpoint Detection and Response (EDR) solution such as Microsoft Defender can provide additional protection against ransomware threats such as Black Basta. EDRs can alert system users of potential breaches and stop further progress before the malware can do significant damage.

If an EDR solution is not being used, the first instance of detection is likely to be the ransom note. The note will be labelled as:
– Readme.txt

Affected Products

– WindowsOS
– LinuxOS and Linux based VMware

Containment, Mitigations & Remediations

It is recommended that employees receive training on how to spot signs of spear phishing emails. The main method of initial compromise is spear phishing so some in-house training will go a long way to reducing the effectiveness of future campaigns.

As stated above, a main method of reducing the threat of Black Basta ransomware is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt them if detected.

Organisations can also perform routine back-ups of sensitive data that is needed to run the business and to keep a copy offline in case back-ups are impacted by the attack. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with little disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the attacker if demands are not met.

Indicators of Compromise

Black Basta hashes:
– 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
– 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
– 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a
– ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
– 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
– a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1
– 1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250
– f088e6944b2632bb7c93fa3c7ba1707914c05c00f9491e033f78a709d65d7cff
– 2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88
– ac49c114ef137cc198786ad8daefa9cfcc01f0c0a827b0e2b927a7edd0fca8b0
– 8917af3878fa49fe4ec930230b881ff0ae8d19c9
– a996ccd0d58125bf299e89f4c03ff37afdab33fc
– 5f99214d68883e91f586e85d8db96deda5ca54af
– eb43350337138f2a77593c79cee1439217d02957
– 920fe42b1bd69804080f904f0426ed784a8ebbc2
– 14177730443c70aefeeda3162b324fdedf9cf9e0

Associated Black Basta IPs:

Files created:
– %Temp%\fkdjsadasd.ico
– %Temp%\dlaksjdoiwq.jpg

Processes spawned:
– cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
– cmd.exe /c C:\Windows\System32\vssadmin.exe delete shadows /all /quiet

Registry key created:

Threat Landscape

Ransomware continues to be one of the prominent threats facing the private sector. The recent attack against automotive retailer Pendragon and the record breaking demand of £53 million suggests the threat is growing as criminal groups are becoming comfortable demanding ever-increasing ransoms.

Open source reporting suggests Black Basta ransomware was the third most-used ransomware in October 2022, up from the previous month. There is a realistic possibility this growth will continue and the ransomware will be seen in more and more attacks.

Previous attacks have predominantly been focused against Western companies, however, there is insufficient evidence to suggest the specific motivations of Western targeting.

Black Basta ransomware targets map.

Threat Group

Black Basta ransomware gang operates a double extortion technique. This means that not only does the group encrypt the private data of the victim and demand a ransom for the keys, but they also threaten victims with the publishing of the data on their own dark web site. This is likely designed to increase pressure on the victim and increase the chances of payment.

Despite the group’s relatively recent formation, it is highly likely that the group is made up of seasoned cybercriminals who have experience with ransomware extortion tactics, due to their double extortion technique and their fast rise to notoriety.

Mitre Methodologies

T1078 – Valid Accounts

T1566.001 – Phishing: Spear-phishing attachment
T1059– Command and Scripting Interpreter
T1047– Windows Management Instrumentation
T1112– Modify Registry
T1027 – Obfuscate Files or Information
T1562.001 – Impair Defences: Disable or Modify Tools
T1003 – OS Credential Dumping
T1082 – System Information Discovery
T1083– File and Directory Discovery
T1567 – Exfiltration Over Web Service
T1041 – Exfiltration Over C&C Channel
T1490 – Inhibit System Recovery
T1489 – Service Stop
T1486 – Data Encrypted for Impact

Further Information

Security Scorecard: Black Basta Deep Dive
Avertium: Black Basta Deep Dive

Intelligence Terminology Yardstick