{
	"id": "7d570882-0bdb-459a-b7cf-dae258752728",
	"created_at": "2026-04-06T00:22:36.985708Z",
	"updated_at": "2026-04-10T03:20:05.121015Z",
	"deleted_at": null,
	"sha1_hash": "3ecae514d401dabd21e5f71b2bc69aa3c83ab285",
	"title": "Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1663661,
	"plain_text": "Black basta Ransomware Goes Cross-Platform, Now Targets ESXi\r\nSystems\r\nBy Uptycs Threat Research\r\nPublished: 2022-06-07 · Archived: 2026-04-02 11:16:22 UTC\r\nOriginal research by Siddharth Sharma and Nischay Hegde\r\nThe Uptycs threat research team recently observed an advancement in the Black basta ransomware, where we saw\r\nthat the ransomware binaries are now targeting ESXi servers. The Black Basta was first seen this year during the\r\nmonth of April, in which its variants targeted windows systems. This blog highlights the recent addition of the\r\n*nix component in the Black Basta ransomware by the ransomware authors.\r\nThreat Attribution\r\nBased on the chat support link and encrypted file extension, we believe that the actors behind this campaign are\r\nthe same who targeted windows systems earlier with the Black Basta ransomware.\r\nFigure 1: Black basta chat support panel for negotiation\r\nTechnical Overview\r\nThe ransomware binary (hash: 0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef) looks\r\nfor the /vmfs/volumes directory for encryption in the victim system. The /vmfs/volumes directory stores the\r\nvirtual machines on the ESXi server. Once it finds the directory it starts encrypting files present inside the\r\nvolumes folder.\r\nhttps://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nPage 1 of 5\n\nFigure 2: Ransomware binary looking for /vmfs/volumes folder\r\nFor encryption the ransomware author seems to be using the chacha20 algorithm as a part of the encryption\r\nmechanism, probably because chacha20 is fast.\r\nFigure 3: chacha20 algorithm\r\nIt also uses multithreading for encryption to utilize multiple processors and further make it faster and harder to\r\ndetect. As shown in below figure(see figure: 4), the function `EncryptionThread` is run in parallel to increase\r\nthroughput of the ransomware.\r\nhttps://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nPage 2 of 5\n\nFigure 4: EncryptionThread usage\r\nThe ransomware binary also uses chmod utility for giving full permissions to the target files.(see figure 5)\r\nFigure 5: Malware binary writing encrypted content to files inside volumes folder\r\nBelow figure shows the encrypted files inside the volumes folder in the victim system. The extension used by the\r\nransomware binary is .basta.\r\nhttps://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nPage 3 of 5\n\nFigure 6: Encrypted files along with the readme file\r\nInside the readme.txt file, the author puts the link to the chat support panel where the victims can approach for file\r\ndecryption.\r\nFigure 7: Black Basta panel for chat support\r\nThe 3rd annual osquery@scale Conference is back!\r\nSepember 14-15\r\nThe Uptycs EDR armed with YARA process scanning detects the BlackBasta ransomware with a threat score of\r\n10/10.(see figure 8)\r\nhttps://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nPage 4 of 5\n\n0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef\r\nhttps[:]//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion\r\nSource: https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nhttps://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.uptycs.com/blog/black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems"
	],
	"report_names": [
		"black-basta-ransomware-goes-cross-platform-now-targets-esxi-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ecae514d401dabd21e5f71b2bc69aa3c83ab285.pdf",
		"text": "https://archive.orkl.eu/3ecae514d401dabd21e5f71b2bc69aa3c83ab285.txt",
		"img": "https://archive.orkl.eu/3ecae514d401dabd21e5f71b2bc69aa3c83ab285.jpg"
	}
}