{ "id": "15f8f0ca-24c1-46c7-950c-a3cbc7552236", "created_at": "2026-04-06T00:13:59.701224Z", "updated_at": "2026-04-10T13:11:49.436164Z", "deleted_at": null, "sha1_hash": "41b14b0acaf70aa02a6004fdb3880ad89f2faaea", "title": "New Black Basta ransomware springs into action with a dozen breaches", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3782510, "plain_text": "New Black Basta ransomware springs into action with a dozen breaches\r\nBy Lawrence Abrams\r\nPublished: 2022-04-27 · Archived: 2026-04-05 18:12:56 UTC\r\nA new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve\r\ncompanies in just a few weeks.\r\nThe first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking\r\ncompanies worldwide.\r\nWhile ransom demands likely vary between victims, BleepingComputer is aware of one victim who received over a $2\r\nmillion demand from the Black Basta gang to decrypt files and not leak data.\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nNot much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting\r\naffiliates on hacking forums.\r\nHowever, due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new\r\noperation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.\r\nSteals data before encrypting\r\nLike other enterprise-targeting ransomware operations, Black Basta will steal corporate data and documents before\r\nencrypting a company's devices.\r\nThis stolen data is then used in double-extortion attacks, where the threat actors demand a ransom to receive a decryptor and\r\nprevent the publishing of the victim's stolen data.\r\nThe data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list\r\nof all victims who have not paid a ransom. Black Basta will slowly leak data for each victim to try and pressure them into\r\npaying a ransom.\r\nBlack Basta data leak site\r\nSource: BleepingComputer\r\nThe Black Basta data leak site currently contains data leak pages for ten companies they breached. However,\r\nBleepingComputer knows of other victims not currently listed on the data leak site.\r\nTheir most recent listed victim is Deutsche Windtechnik, who suffered a cyberattack on April 11th but had not disclosed it\r\nwas a ransomware attack.\r\nYesterday, the data leak site also began leaking the data for the American Dental Association, which suffered an attack on\r\nApril 22nd, but that page has since been removed. The removal of their page indicates that the company is negotiating with\r\nthe threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 3 of 8\n\nA deeper dive into Black Basta\r\nBleepingComputer performed a brief analysis of the Black Basta ransomware from online samples.\r\nWhen executed, the Black Basta encryptor needs to be run with administrative privileges, or it will not encrypt files. Once\r\nlaunched, the encryptor will delete Volume Shadow Copies using the following command:\r\nC:\\Windows\\system32\\cmd.exe /c C:\\Windows\\SysNative\\vssadmin.exe delete shadows /all /quiet\r\nIt will then hijack an existing Windows service and uses it to launch the ransomware encryptor executable. In our tests, the\r\nWindows Service that was hijacked was the 'Fax' service, as shown below.\r\nHijacked Fax Windows service used to launch Black Basta\r\nSource: BleepingComputer\r\nThe ransomware will also change the wallpaper to display a message stating, \"Your network is encrypted by the Black Basta\r\ngroup. Instructions in the file readme.txt.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 4 of 8\n\nWallpaper added by the Black Basta encryptor\r\nSource: BleepingComputer\r\nThe ransomware will now reboot the computer into Safe Mode with Networking, where the hijacked Windows service will\r\nstart and automatically begin to encrypt the files on the device.\r\nRansomware expert Michael Gillespie, who analyzed Black Basta's encryption process, told BleepingComputer that it\r\nutilizes the ChaCha20 algorithm to encrypt files. The ChaCha20 encryption key is then encrypted with a public RSA-4096\r\nkey included in the executable.\r\nWhile encrypting files, the ransomware will append the .basta extension to the encrypted file's name. So, for example,\r\ntest.jpg would be encrypted and renamed to test.jpg.basta.\r\nBlack Basta encrypted files\r\nSource: BleepingComputer\r\nTo display the custom icon associated with the .basta extension, the ransomware will create a custom extension in the\r\nWindows Registry and associate the icon with a randomly named ICO file in the %Temp% folder. This custom icon is very\r\nsimilar to one used by the icy.tools app.\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.basta]\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.basta\\DefaultIcon]\r\n@=\"C:\\\\Windows\\\\TEMP\\\\fkdjsadasd.ico\"\r\nIn each folder on the encrypted device, the ransomware will create a readme.txt file that contains information about the\r\nattack and a link and unique ID required to log in to their negotiation chat session.\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 5 of 8\n\nBlack Basta Ransom Note\r\nSource: BleepingComputer\r\nThe Tor negotiation site is titled 'Chat Black Basta' and only includes a login screen and a web chat that can be used to\r\nnegotiation with the threat actors.\r\nThe threat actors use this screen to issue a welcome message that contains a ransom demand, a threat that data will be leaked\r\nif payment is not made in seven days, and the promise of a security report after a ransom is paid.\r\nBlack Basta Tor negotiation site\r\nSource: BleepingComputer\r\nUnfortunately, Gillespie says that the encryption algorithm is secure and that there is no way to recover files for free.\r\nA likely rebrand\r\nBased on how quickly Black Basta amassed victims and the style of their negotiations, this is very likely a rebrand of an\r\nexperienced operation.\r\nOne theory discussed between security researcher MalwareHunterTeam and this author is that Black Basta is possibly an\r\nupcoming rebrand of the Conti ransomware operation.\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 6 of 8\n\nConti has been under heavy scrutiny over the past two months after a Ukrainian researcher leaked a treasure trove of private\r\nconversations and the ransomware's source code.\r\nDue to this, it has been speculated that Conti would rebrand their operation to evade law enforcement and start over under a\r\ndifferent name.\r\nWhile the Black Basta encryptor is very different from Conti's, MalwareHunterTeam believes that there are numerous\r\nsimilarities in their negotiation style and website design.\r\nFurthermore, Black Basta released the data for a brand new victim after a screenshot of the negotiation was leaked.\r\nThis \"punishment\" is the same that Conti introduced to stem the tide of negotiations being leaked on Twitter.\r\nWhile these connections are tenuous, the Black Basta gang needs to be closely monitored as they have only just begun their\r\noperation.\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nhttps://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/" ], "report_names": [ "new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434439, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41b14b0acaf70aa02a6004fdb3880ad89f2faaea.pdf", "text": "https://archive.orkl.eu/41b14b0acaf70aa02a6004fdb3880ad89f2faaea.txt", "img": "https://archive.orkl.eu/41b14b0acaf70aa02a6004fdb3880ad89f2faaea.jpg" } }