{
	"id": "9e6e73ec-874a-41c8-8408-be45428674fe",
	"created_at": "2026-04-06T00:13:49.238064Z",
	"updated_at": "2026-04-10T03:21:14.120393Z",
	"deleted_at": null,
	"sha1_hash": "29386e8af2bb845a1ae10bb2ec76ef5b587f302d",
	"title": "Ransomware Spotlight: Black Basta",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 579346,
	"plain_text": "Ransomware Spotlight: Black Basta\r\nArchived: 2026-04-05 14:36:08 UTC\r\nTop affected countries and industries according to Trend Micro data\r\nIn this section, we discuss Trend Micro™ Smart Protection Network™ data on Black Basta’s activity from April 1 to July\r\n31, 2022, which refers to detections of the ransomware’s attempts to compromise organizations.\r\nJust two countries accounted for over half of the group’s 44 ransomware attack attempts during this period, which were\r\nconcentrated in the US at 43%, with Austria a distant second at 15%. As Black Basta has sought to purchase network access\r\ncredentials for organizations located specifically in the US, among other countries, this may explain the higher number of\r\nattacks against US-based businesses.\r\nFigure 1. The countries with the most Black Basta ransomware attack attempts in terms of infected machines from April 1 to\r\nJuly 31, 2022\r\nSource: Trend Micro™ Smart Protection Network™\r\nAs of this writing, our detections show that Black Basta activity is spread across many different industries. The group has\r\nbeen observed targeting businesses involved in technology, insurance, manufacturing, and utilities.\r\nAlthough Black Basta is a relatively new arrival to the ransomware scene, its detections have been on a steady climb since\r\nthe ransomware gang surfaced in April, peaking at 22 attack attempts in June before tapering down to 11 the following\r\nmonth.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 1 of 9\n\nFigure 2. The numbers of detections of Black Basta ransomware attack attempts in terms of infected machines in each\r\nmonth from April 1 to July 31, 2022\r\nSource: Trend Micro Smart Protection Network\r\nTargeted regions and industries according to Black Basta’s leak site\r\nIn this section, we look into the attacks recorded on the Black Basta group’s leak site, which represent successfully\r\ncompromised organizations that, as of this writing, have refused to pay ransom. Our detections, which pertain to Trend\r\nMicro customers, captured only a fraction of the victims found in Black Basta’s leak site. Trend Micro’s open-source\r\nintelligence (OSINT) research and investigation of the site show that from April 1 to July 31, 2022, the group compromised\r\na total of 80 organizations.\r\nThe bulk of Black Basta’ victims were based in North America, which had a victim count of 44, followed by Europe and the\r\nAsia-Pacific. More specifically, the US was at the receiving end of most of the attacks, with 38 affected organizations. Many\r\nconfirmed ransomware attacks also took place in Germany, with 19 victims.\r\nFigure 3. The distribution by region of Black Basta’s victim organizations from April 1 to July 31, 2022\r\nSources: Black Basta’s leak site and Trend Micro’s OSINT research\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 2 of 9\n\nFigure 4. The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022\r\nSources: Black Basta’s leak site and Trend Micro’s OSINT research\r\n. . .\r\nBlack Basta’s attacks affected a variety of organizations. Construction businesses topped the list with a victim count of 10,\r\nwhile businesses involved in professional services came in second with nine victims. Medium-size organizations made up\r\nthe lion’s share of recorded Black Basta victims.\r\nFigure 5. The distribution by industry of Black Basta’s victim organizations from April 1 to July 31, 2022\r\nSources: Black Basta’s leak site and Trend Micro’s OSINT research\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 3 of 9\n\nFigure 6. The distribution by organization size of Black Basta’s victim organizations from April 1 to July 31, 2022\r\nSources: Black Basta’s leak site and Trend Micro’s OSINT research\r\nInfection chain and techniques\r\nAs Black Basta’s operations are based on the RaaS model, its infection chain might vary depending on the target. The\r\ninfection chain illustrated below details the variety of tactics and tools the group uses.\r\nFigure 7. Black Basta’s infection chain\r\nInitial access\r\nExternal data reports that a user named “Black Basta” posted on underground forums seeking corporate network\r\naccess credentials, offering a share of the profit from their attacks as payment. These reports are supported by the fact\r\nthat a unique ID is hard-coded in each Black Basta build, which could also mean that the ransomware gang does not\r\ndistribute its malware sporadically.\r\nOur internal telemetry shows another set of samples, which were monitored within a 72-hour time frame, that were\r\nusing Qakbot. The malware is downloaded and executed from a malicious Excel file and then executes certain\r\nPowerShell commands as part of its staging phase\r\nDiscovery\r\nBlack Basta uses PowerShell scripts to scan information about the compromised system or network.\r\nIt uses Qakbot’s and Cobeacon’s information-gathering capabilities to scan the compromised system or network.\r\nIt uses third-party tools such as Netcat to scan the compromised system or network.\r\nDefense evasion\r\nBlack Basta uses a batch script containing PowerShell commands to disable antimalware applications.\r\nIt uses Group Policy Objects (GPOs) to disable Windows Defender and Security Center.\r\nIt reboots the victim’s computer in safe mode to circumvent any antimalware applications.\r\nPrivilege escalation\r\nBlack Basta exploits the PrintNightmare vulnerability (CVE-2021-34527)open on a new tab to perform privileged\r\noperations and deliver the Cobalt Strike beacon (aka Cobeacon) or other payloads.\r\nCredential access\r\nBlack Basta uses Mimikatz to dump credentials.\r\nLateral movement\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 4 of 9\n\nBlack Basta uses different tools and pieces of malware to spread its ransomware to other remote systems in the\r\nnetwork:\r\nBITSAdmin\r\nPsExec \r\nWindows Management Instrumentation (WMI)\r\nRDP \r\nQakbot \r\nCobeacon \r\nExfiltration\r\nBlack Basta uses Cobeacon to exfiltrate the stolen data on an established command-and-control (C\u0026C) server.\r\nIt uses Rclone to exfiltrate data from compromised systems.\r\nImpact\r\nBlack Basta uses the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a\r\npublic RSA-4096 key that is included in the executable.\r\nMultiple builds of Black Basta ransomware have been found in the wild\r\nOne build restarts the victim’s system in safe mode, most likely for evasion purposes, before performing\r\nencryption. This build also modifies the “Fax” service to enable it to run in safe mode and with service-level\r\naccess.\r\nAnother build contains only the ransomware’s core capabilities, such as wallpaper defacement, file\r\nencryption, and deletion of shadow copies.\r\nA newly found build has a new addition: the -bomb argument, which theoretically allows the ransomware to\r\nautomatically target all connected machines for encryption.\r\nThe Linux build of the ransomware targets the folder /vmfs/volumes, where images from virtual machines are\r\ncontained, for encryption. To encrypt other folders, the ransomware actors include the -forcepath argument.\r\nBlack Basta displays a ransomware note as the victim’s wallpaper directing them to a .txt file with more details.\r\nOther technical details\r\nBlack Basta avoids encrypting files in these folders:\r\n$Recycle.Bin\r\nWindows\r\nLocal Settings\r\nApplication Data\r\nboot\r\nIt avoids encrypting files with these strings in their file names:\r\nOUT.txt\r\nNTUSER.DAT\r\nreadme.txt (the ransom note)\r\ndlaksjdoiwq.jpg (a desktop wallpaper found in the %TEMP% folder)\r\nfkdjsadasd.ico (an icon used for encrypted files, found in the %TEMP% folder)\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 5 of 9\n\nIt drops a ransom note as a .txt file in an encrypted folder in the victim’s machine.\r\nFigure 9. An example of the contents of the ransom note .txt file\r\nMITRE ATT\u0026CK tactics and techniques\r\nInitial\r\naccess\r\nExecution\r\nPrivilege\r\nescalation\r\nDefense\r\nevasion\r\nCredential\r\naccess\r\nDiscovery\r\nLateral\r\nmovement\r\nExfiltration Impact\r\nT1078 -\r\nValid\r\naccounts\r\nHas been\r\nreported\r\nbuying\r\ncompromised\r\naccounts on\r\nunderground\r\nforums to\r\naccess victim\r\nsystems.\r\nT1566.001 -\r\nPhishing:\r\nSpear-phishing\r\nattachment\r\nMirrors\r\ntechnique\r\nused by\r\nQakbot\r\noperators to\r\ndistribute\r\ntheir\r\npayload that\r\nwill deliver\r\nthe\r\nransomware.\r\nT1059.003 -\r\nCommand and\r\nscripting\r\ninterpreter\r\nUses various\r\nscripting\r\ninterpreters like\r\nPowerShell and\r\nWindows\r\ncommand shell.\r\nT1569.002 -\r\nSystem\r\nservices:\r\nService\r\nexecution\r\nStops and\r\ndeletes the\r\nservice named\r\n“Fax”, which it\r\nthen\r\nimpersonates\r\nfor its\r\nencryption\r\nroutine.\r\nT1047 -\r\nWindows\r\nManagement\r\nInstrumentation\r\nHas been\r\nobserved to use\r\nWindows\r\nManagement\r\nInstrumentation\r\n(WMI) to\r\nspread and\r\nexecute files\r\nover the\r\nNetwork.\r\nT1068 -\r\nExploitation\r\nfor privilege\r\nescalation\r\nExploits the\r\nPrintNightmare\r\nvulnerability\r\n(CVE-2021-\r\n34527) to\r\nperform\r\nprivileged\r\noperations\r\nT1112 -\r\nModify\r\nregistry\r\nModifies\r\nregistry\r\nentries to\r\nenable it to\r\nreplace the\r\ndesktop\r\nwallpaper,\r\nset the icon\r\nassociated\r\nwith\r\nencrypted\r\nfiles,\r\nestablish\r\npersistence,\r\nand disable\r\ndefenses.\r\nT1484.001 -\r\nDomain\r\npolicy\r\nmodification:\r\nGroup policy\r\nmodification\r\nEmploys a\r\ntechnique\r\ninvolving the\r\ncreation of a\r\nGroup Policy\r\nObject\r\n(GPO) on a\r\ncompromised\r\ndomain\r\ncontroller,\r\nwhich will\r\npush out the\r\nchanges\r\n(disable\r\ndefenses) to\r\nthe Windows\r\nregistry of\r\nT1003 -\r\nOS\r\ncredential\r\ndumping\r\nUses\r\nMimikatz\r\nto dump\r\ncredentials.\r\nT1082 -\r\nSystem\r\ninformation\r\ndiscovery\r\nUses tools\r\nfor local\r\nsystem\r\nscans.\r\nT1018 -\r\nRemote\r\nsystem\r\ndiscovery\r\nUses tools\r\nfor remote\r\nnetwork\r\nscans.\r\nT1083 -\r\nFile and\r\ndirectory\r\ndiscovery\r\nSearches\r\nfor specific\r\nfiles and\r\ndirectories\r\nrelated to\r\nits\r\nransomware\r\nencryption.\r\nT1570 -\r\nLateral\r\ntool\r\ntransfer\r\nUses tools\r\nlike\r\nPsExec\r\nand\r\nBITSAdmin\r\nto spread\r\nthe\r\nmalware\r\nlaterally\r\nacross the\r\nnetwork.\r\nT1021.001\r\n- Remote\r\nservices:\r\nRemote\r\nDesktop\r\nProtocol\r\nUses RDP\r\nto spread\r\nand\r\nexecute the\r\nmalware\r\nacross the\r\nnetwork.\r\nT1041 -\r\nExfiltration\r\nover C\u0026C\r\nchannel\r\nUses an\r\nestablished\r\ncommand-and-control\r\n(C\u0026C)\r\nchannel to\r\nexfiltrate\r\ndata.\r\nT1567 -\r\nExfiltration\r\nover web\r\nservice\r\nUses a tool\r\nlike Rclone\r\nto copy\r\nstolen data\r\nfrom a\r\nclient to its\r\ncloud\r\nserver.\r\nT1490 -\r\nInhibit\r\nsystem\r\nrecovery\r\nDeletes\r\nshadow\r\ncopies.\r\nT1489 -\r\nService stop\r\nStops and\r\ndeletes a\r\nservice\r\nnamed\r\n“Fax”,\r\nwhich it then\r\nimpersonates\r\nfor its\r\nencryption\r\nroutine.\r\nT1486 -\r\nData\r\nencrypted\r\nfor impact\r\nEncrypts\r\nfiles and\r\nadds the\r\nextension\r\n“.basta”.\r\nT1491 -\r\nDefacement\r\nReplaces the\r\ndesktop\r\nwallpaper to\r\ndisplay the\r\nransom note.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 6 of 9\n\nInitial\r\naccess\r\nExecution\r\nPrivilege\r\nescalation\r\nDefense\r\nevasion\r\nCredential\r\naccess\r\nDiscovery\r\nLateral\r\nmovement\r\nExfiltration Impact\r\ndomain-joined hosts.\r\nT1562.001 -\r\nImpair\r\ndefenses:\r\nDisable or\r\nmodify tools\r\nDisables\r\nWindows\r\nDefender\r\nand Security\r\nCenter.\r\nT1562.009 -\r\nImpair\r\ndefenses:\r\nSafe mode\r\nboot\r\nDisables\r\nWindows\r\nrecovery and\r\nrepair\r\nfeatures and\r\nrestarts the\r\nmachine in\r\nsafe mode.\r\nT1620 -\r\nReflective\r\ncode loading\r\nHas some\r\nbuilds that\r\nare known to\r\nuse reflective\r\ncode loading\r\nwhen\r\nexecuting\r\nthemselves.\r\nSummary of tools, exploit, and other malware used\r\nSecurity teams can keep an eye out for the presence of these tools, exploit, and other malware that are typically used in\r\nBlack Basta’s ransomware attacks:\r\nInitial access Discovery Privilege escalation\r\nCredential\r\naccess\r\nLateral\r\nmovement\r\nExecution Exfiltration\r\nC\r\nco\r\nSpear\r\nphishing\r\nNetcat\r\nPrintNightmare\r\nvulnerability\r\n(CVE-2021-\r\n34527)\r\nMimikatz\r\nBITSAdmin\r\nCoroxy\r\nPsExec\r\nRDP\r\nWMI\r\nPowerShell\r\nWindows\r\ncommand\r\nshell\r\nWMI\r\nCobeacon\r\nRclone\r\nSecurity recommendations\r\nSecurity researchers have speculated that Black Basta might be an offshoot open on a new tab of the infamous Continews\r\narticle ransomware gang. It has also exhibited similarities to the Black Matter ransomware gang, including a resemblance\r\nbetween their respective leak sites. Its possible connection to these ransomware groups might explain the high level of in-house expertise behind Black Basta’s attacks.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 7 of 9\n\nIn defending systems against threats like Black Basta, organizations can benefit from establishing security frameworks that\r\ncan allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that\r\ncan be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allowlist that only executes legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications.\r\nUpdate software and applications to their latest versions.\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises:\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™ – Workload Securityproducts protects systems against both known and unknown threats\r\nthat exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of compromise (IOCs)\r\nThe indicators of compromise (IOCs) for the threat discussed in this article can be found hereopen on a new tab. Actual\r\nindicators might vary per attack.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 8 of 9\n\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta"
	],
	"report_names": [
		"ransomware-spotlight-blackbasta"
	],
	"threat_actors": [],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29386e8af2bb845a1ae10bb2ec76ef5b587f302d.pdf",
		"text": "https://archive.orkl.eu/29386e8af2bb845a1ae10bb2ec76ef5b587f302d.txt",
		"img": "https://archive.orkl.eu/29386e8af2bb845a1ae10bb2ec76ef5b587f302d.jpg"
	}
}