{
	"id": "040a44db-65a6-44a7-914f-2256c5bccabb",
	"created_at": "2026-04-06T00:10:34.146878Z",
	"updated_at": "2026-04-10T03:24:29.811659Z",
	"deleted_at": null,
	"sha1_hash": "6d9afcf3dfc130ce1069d8165df1da352694597d",
	"title": "Examining the Black Basta Ransomware’s Infection Routine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3540297,
	"plain_text": "Examining the Black Basta Ransomware’s Infection Routine\r\nPublished: 2022-05-09 · Archived: 2026-04-05 13:08:40 UTC\r\nRansomware\r\nWe analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.\r\nBy: Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales, Don Ovid Ladores May 09, 2022\r\nRead time: 7 min (1976 words)\r\nBlack Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to\r\norganizations in a short span of time.\r\nOn April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS and EXPLOIT.IN to\r\nadvertise that it intends to buy and monetize corporate network access credentials for a share of the profits. The\r\nadvertisement also specified that it was looking for organizations based in the United States, Canada, United Kingdom,\r\nAustralia, and New Zealand, which are all English-speaking countries. A reportopen on a new tab noted that malicious\r\nactors acquired stolen credentials from some darknet websites that peddle an enormous amount of exfiltrated data to the\r\nunderground market.\r\nOn April 26, Twitter user PCrisk tweetedopen on a new tab about the new Black Basta ransomware that appends the\r\nextension .basta and changes the desktop wallpaper.\r\nThis blog entry takes a closer look at the Black Basta ransomware and analyzes this newcomer’s familiar infection\r\ntechniques.\r\nThe infection routine\r\nBlack Basta ransomware needs administrator rights to run. It otherwise displays a command prompt message as shown on\r\nFigure 1.\r\nFigure 1. A command prompt is displayed if Black Basta ransomware is not run with administrator rights.\r\nAfter running the ransomware as administrator, it removes shadow copies, disables Windows recovery and repair, and boots\r\nthe PC in safe mode.\r\nC:\\Windows\\SysNative\\vssadmin.exe delete shadows /all /quiet\r\nC:\\Windows\\SysNative\\bcdedit.exe /deletevalue safeboot\r\nC:\\Windows\\SysNative\\bcdedit /set safeboot networkChanges\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 1 of 13\n\nFigure 2. Commands such as \"C:\\Windows\\SysNative\\bcedit /set safeboot networkChanges\" are embedded in\r\nthe binary and can be viewed easily.\r\nIt also drops the following files, which will be used later when changing the desktop wallpaper and icons for encrypted files:\r\n%Temp%\\fkdjsadasd.ico\r\n%Temp%\\dlaksjdoiwq.jpg\r\nBefore booting the infected device into safe mode, it changes the desktop wallpaper by dropping the .jpg file into the\r\n%temp% folder and creating the following registry entry:\r\nKey: HKCU\\Control Panel\\Desktop;  Value: Wallpaper; Data:%Temp%\\dlaksjdoiwq.jpg;\r\nFigure 3. The registry entry created after Black Basta ransomware changes the wallpaper on the infected\r\nmachine\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 2 of 13\n\nFigure 4. The desktop wallpaper created by the ransomware from the .jpg file dropped in the %temp% folder\r\nAfter changing the desktop wallpaper, it then adds the following registry keys to change the icon of the encrypted files with\r\nthe .basta extension:\r\nHKLM\\SOFTWARE\\Classes\\.basta\r\nHKLM\\SOFTWARE\\Classes\\.basta\\DefaultIcon data: %TEMP%\\fkdjsadasd.ico\r\nFigure 5. The registry keys added by the ransomware to change the icon of the files with the .basta extension\r\nThe ransomware proceeds to encrypt files while the device is in safe mode, appending all encrypted files with the .basta\r\nextension. The ransom note is found in all the folders the ransomware has affected.\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 3 of 13\n\nFigure 6. The infected files shown with the .basta extension\r\nThe ransom note indicates the malicious actor’s onion site and a company ID. Despite running the same ransomware\r\n(SHA256 hash: 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa) on different virtual machines,\r\nthe company ID the gang provides is the same across all devices.\r\nFigure 7. The ransom note dropped by Black Basta\r\nUsing another binary (SHA256 hash: 7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a), a\r\ndifferent company ID is shown on the ransom note. The files are likewise appended with the .basta extension.\r\nFigure 8. A different company ID is given when another binary is used.\r\nAnalyzing the infection routine\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 4 of 13\n\nBlack Basta’s recent entry to the cybercrime world suggests that information about their operations is still limited.\r\nAccording to a reportopen on a new tab, the gang has neither started marketing its operations nor has it begun recruitment of\r\naffiliates in underground forums. Based on advertisements they posted before the attacks, the malicious actor likely uses\r\nstolen credentials — purchased in darknet websites or underground forums — to get into an organization’s system.\r\nWe probed further and found that the company ID written in the ransom note is hardcoded in the binary file.\r\nFigure 9. The company ID in the ransom note is hardcoded in the binary file.\r\nBlack Basta attempts to delete shadow copies using vssadmin.exe and boots the device in safe mode using bcdexit.exe from\r\ndifferent paths, specifically, %SysNative% and %System32%.\r\nFigure 10. Black Basta’s attempts to delete shadow copies using vssadmin.exe\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 5 of 13\n\nFigure 11. Black Basta boots the device in safe mode using bcdexit.exe from different paths, specifically,\r\n%SysNative% and %System32%.\r\nAt this stage, the ransomware deletes the service named Fax, and creates a new one with the same name using the malware’s\r\npath and adds it to the registry for persistence.\r\nFigure 12. Pop-up notification when the Fax service is deleted\r\nFigure 13. Functions used in creating a new service, also named “Fax,” that uses the file path of the malware\r\nas its binary path name\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 6 of 13\n\nFigure 14. Functions used when creating a registry key\r\nFigure 15. New registry key created for the new “Fax” service that replaces the deleted service\r\nIt then uses ShellExecuteA to shut down and restart the victim’s machine.\r\nFigure 16. Function ShellExecuteA used to shut down and restart the victim’s machine\r\nExtortion phase\r\nFor a newcomer in the field, Black Basta is quite prolific for having compromised at least a dozen organizations in just a few\r\nweeks. The group’s first known attackopen on a new tab using the Black Basta ransomware occurred in the second week of\r\nApril 2022. But an earlier sampleopen on a new tab was also spotted back in February 2022 with the ransomware name\r\n“no_name_software,”  which appends the extension “encrypted” to encrypted files. According to some threat\r\nresearchersopen on a new tab, it appears that Black Basta has been in development since early February 2022.\r\nFigure 17. Ransom note used in an earlier sample\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 7 of 13\n\nLike other enterprise-focused ransomware operations, Black Basta employs a double extortionnews- cybercrime-and-digital-threats scheme that involves exfiltrating confidential data before encryption to threaten victims with public release of the\r\nstolen data.\r\nThe gang carries out the extortion phase of its attacks on its Tor site, Basta News, which contains a list of all the victims who\r\nhave not paid the ransom.\r\nFigure 18. Black Basta’s leak site, retrieved from\r\nhttps://twitter.com/MarceloRivero/status/1519398885193654273\r\nPossible relation to an APT\r\nSecurity researchers exchanged speculations on Twitter that Black Basta is possibly a rebranding of the Continews article\r\nransomware operation. MalwareHunterTeamopen on a new tab pointed out many similarities in its leak site, payment site,\r\nand negotiation style to those of Conti’s. Twitter user Arkbirdopen on a new tab echoed the same observation.  Lawrence\r\nAbrams of BleepingComputer also mentioned that the malicious actors behind Black Basta seem like they are exerting a lot\r\nof effort to avoid any resemblance to their previous identity.\r\nWe have also noticed some similarities between the Black Basta and Black Matter payment sites. Like Black Matter, Black\r\nBasta implements user verification on its Tor site. However, the leak site does not implement a session key.\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 8 of 13\n\nFigure 19. The Black Matter payment site\r\nFigure 20. The Black Basta payment site\r\nNew findings: QAKBOT possibly related to Black Basta\r\nBased on our analysis of another set of samples monitored within a 72-hour timeframe, we discovered a possible correlation\r\nbetween QAKBOT and Black Basta ransomware. We observed the following:\r\nAs with QAKBOT, the malware is downloaded and executed from a malicious Excel file. Similar to the typical\r\nroutine of the QAKBOT binary, it then executes certain PowerShell commands as part of its staging phase.\r\nFrom information gathered in our telemetry, we found the presence of the Black Basta ransomware within the 72-\r\nhour period in which it encrypted files on victims’ machine. Trend Micro detects this as\r\nRansom.Win32.BASTACRYPT.YACEDT.\r\nOther researchers pointed out that QAKBOT deploys its version of the exploit PRINTNIGHTMARE (aka\r\nQUAKNIGHTMARE) during the same timeframe. We also observed the presence of the weaponized exploit. This, in\r\nturn, executes another binary with escalated privilege. Unfortunately, we were unable to find the presence of the file\r\npointed by the hardcoded path. string to complete the attack chain. Trend Micro detects this as\r\nTrojan.Win64.QUAKNIGHTMARE.YACEJT.\r\nMalicious actors also use certain tools as seen through our sensors, but we were unable to obtain the complete kit. We have\r\nso far gathered paths related to the tools themselves that include the following:\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 9 of 13\n\nAdwareCleaner (C:\\AdwCleaner\\*)\r\nEither PC-Cleaner or Pervasive PSQL/SQL (C:\\pvsw\\*)\r\nThe structure of the ransomware loader is also different from the external article. In this case, instead of dropping and\r\nexecuting the ransomware itself, the loader downloads to the device’s memory then uses reflective loading to launch the\r\nransomware.\r\nThe information we have collected so far indicates that the malicious actor behind Black Basta possibly used QAKBOT as a\r\nnew means to deliver the ransomware.\r\nInsights\r\nThe malicious actors could be using a unique binary for each organization that they target. This can be seen from the ransom\r\nnote that they drop, which is hardcoded in the malware itself. A ransomware typically creates a unique ID for each victim\r\ndespite being infected by the same executable. Their choice of target organizations also suggests this to be the case. They\r\nbuy corporate network access credentials in underground markets, which could mean that they do not distribute their\r\nmalware sporadically. Instead, they use a certain kind of binary or variant for a specific organization.\r\nRecommendations \r\nThreat researchers suggest that the recent attacks by Black Basta can be seen as early manifestations of Conti’s rebranding\r\nefforts. True or not, organizations should keep a watchful eye against ransomware threats. An organization’s thorough\r\nassessment of its security posture and its implementation of solid cybersecurity defenses give it a better fighting chance\r\nagainst such threats. \r\nTo protect systems against similar attacks, organizations can establish security frameworks that allocate resources\r\nsystematically for establishing a strong defense strategy against ransomware. Here are some best practices that organizations\r\ncan consider: \r\nAudit and inventory \r\nTake an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software \r\nAudit event and incident logs \r\nConfigure and monitor \r\nManage hardware and software configurations \r\nGrant admin privileges and access only when necessary to an employee’s role \r\nMonitor network ports, protocols, and services \r\nActivate security configurations on network infrastructure devices such as firewalls and routers\r\nEstablish a software allowlist that only executes legitimate applications \r\nPatch and update \r\nConduct regular vulnerability assessments \r\nPerform patching or virtual patching for operating systems and applications\r\nUpdate software and applications to their latest versions \r\nProtect and recover \r\nImplement data protection, backup, and recovery measures\r\nEnable multifactor authentication (MFA) \r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 10 of 13\n\nSecure and defend \r\nEmploy sandbox analysis to block malicious emails \r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork \r\nDetect early signs of an attack such as the presence of suspicious tools in the system \r\nUse advanced detection technologies such as those powered by AI and machine learning \r\nTrain and test \r\nRegularly train and assess employees in security skills\r\nConduct red-team exercises and penetration tests \r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises. \r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before the ransomware can do any damage. \r\nTrend Micro Cloud One™ – Workload Securityproducts protects systems against both known and unknown threats\r\nthat exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.  \r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.  \r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints. \r\nIndicators of compromise (IOCs)\r\nSHA256 Trend Micro Detection\r\n5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa Ransom.Win32.BASTACRYPT.THDBGBB\r\n7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a Ransom.Win32.BASTACRYPT.YXCD2\r\nae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e Ransom.Win32.BASTACRYPT.THDBIBB\r\n17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 Ransom.Win32.BASTACRYPT.YXCD2\r\na54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1 Ransom.Win32.BASTACRYPT.THDBGBB\r\n1d040540c3c2ed8f73e04c578e7fb96d0b47d858bbb67e9b39ec2f4674b04250 Ransom.Win32.BASTACRYPT.YXCD2\r\n2967e1d97d32605fc5ace49a10828800fbbefcc1e010f6004a9c88ef3ecdad88 Ransom.Win32.BASTACRYPT.YXCD2.note\r\nf088e6944b2632bb7c93fa3c7ba1707914c05c00f9491e033f78a709d65d7cff  Ransom.Win32.BASTACRYPT.YXCD2.note\r\nFor QAKBOT-related samples:\r\nSHA256 Trend Micro Detections\r\na48ac26aa9cdd3bc7f219a84f49201a58d545fcebf0646ae1d676c7e43c6ac3e TrojanSpy.Win32.QAKBOT.YACEDT\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 11 of 13\n\n82c73538322c8b90c25a99a7afc2fafcd7e7e03fe920a3331ef0003300ac10b8 TrojanSpy.Win32.QAKBOT.YACEDT\r\n82c73538322c8b90c25a99a7afc2fafcd7e7e03fe920a3331ef0003300ac10b8 TrojanSpy.Win32.QAKBOT.YACEDT\r\n2083e4c80ade0ac39365365d55b243dbac2a1b5c3a700aad383c110db073f2d9 TrojanSpy.Win32.QAKBOT.YACEDT\r\n2e890fd02c3e0d85d69c698853494c1bab381c38d5272baa2a3c2bc0387684c1 TrojanSpy.Win32.QAKBOT.YACEDT\r\n2d906ed670b24ebc3f6c54e7be5a32096058388886737b1541d793ff5d134ccb TrojanSpy.Win32.QAKBOT.YACEDT\r\n72fde47d3895b134784b19d664897b36ea6b9b8e19a602a0aaff5183c4ec7d24 TrojanSpy.Win32.QAKBOT.YACEDT\r\nffa7f0e7a2bb0edf4b7785b99aa39c96d1fe891eb6f89a65d76a57ff04ef17ab TrojanSpy.Win32.QAKBOT.YACEDT\r\n1e7174f3d815c12562c5c1978af6abbf2d81df16a8724d2a1cf596065f3f15a2 TrojanSpy.Win32.QAKBOT.YACEDT\r\n130af6a91aa9ecbf70456a0bee87f947bf4ddc2d2775459e3feac563007e1aed Trojan.Win64.QUAKNIGHTMARE.YACEJT\r\n81a6c44682b981172cd85ee4a150ac49f838a65c3a0ed822cb07a1c19dab4af5 Ransom.Win32.BASTACRYPT.YACEDT\r\n94428d7620fff816cb3f65595978c6abb812589861c38052d30fa3c566e32256 Ransom.Win32.BASTACRYPT.YACEDT\r\nc9df12fbfcae3ac0894c1234e376945bc8268acdc20de72c8dd16bf1fab6bb70 Ransom.Win32.BASTACRYPT.YACEJT\r\n0d3af630c03350935a902d0cce4dc64c5cfff8012b2ffc2f4ce5040fdec524ed Trojan.Win32.BLACKBASTA.YXCEJ\r\n3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc Trojan.Win32.BLACKBASTA.YXCEJ\r\n3fe73707c2042fefe56d0f277a3c91b5c943393cf42c2a4c683867d6866116fc Trojan.Win32.BLACKBASTA.YXCEJ\r\n0e2b951ae07183c44416ff6fa8d7b8924348701efa75dd3cb14c708537471d27 Trojan.Win32.BLACKBASTA.YXCEJ\r\n8882186bace198be59147bcabae6643d2a7a490ad08298a4428a8e64e24907ad Trojan.Win32.BLACKBASTA.YXCEJ\r\ndf35b45ed34eaca32cda6089acbfe638d2d1a3593d74019b6717afed90dbd5f8 Trojan.Win32.BLACKBASTA.YXCEJ\r\nb8aa8abac2933471e4e6d91cb23e4b2b5a577a3bb9e7b88f95a4ddc91e22b2cb TrojanSpy.VBS.KEYLOAD.A\r\nfb3340d734c50ce77a9f463121cd3b7f70203493aa9aff304a19a8de83a2d3c9 TrojanSpy.VBS.KEYLOAD.A\r\n5ab605b1047e098638d36a5976b00379353d84bd7e330f5778ebb71719c36878 TrojanSpy.VBS.KEYLOAD.A\r\n9707067b4f53caf43df5759fe40e9121f832e24da5fe5236256ad0e258277d88 TrojanSpy.VBS.KEYLOAD.A\r\n9707067b4f53caf43df5759fe40e9121f832e24da5fe5236256ad0e258277d88 TrojanSpy.VBS.KEYLOAD.A\r\nd7580fd8cc7243b7e16fd97b7c5dea2d54bcba08c298dc2d82613bdc2bd0b4bf TrojanSpy.VBS.KEYLOAD.A\r\n919d1e712f4b343856cb920e4d6f5d20a7ac18d7386673ded6968c945017f5fd TrojanSpy.VBS.KEYLOAD.A\r\n012826db8d41ff4d28e3f312c1e6256f0647bf34249a5a6de7ecac452d32d917 TrojanSpy.VBS.KEYLOAD.A\r\nd36a9f3005c5c24649f80722e43535e57fd96729e827cdd2c080d17c6a53a893 TrojanSpy.VBS.KEYLOAD.A\r\n580ce8b7f5a373d5d7fbfbfef5204d18b8f9407b0c2cbf3bcae808f4d642076a Backdoor.Win32.COROXY.YACEKT\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 12 of 13\n\nSource: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html"
	],
	"report_names": [
		"examining-the-black-basta-ransomwares-infection-routine.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434234,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d9afcf3dfc130ce1069d8165df1da352694597d.pdf",
		"text": "https://archive.orkl.eu/6d9afcf3dfc130ce1069d8165df1da352694597d.txt",
		"img": "https://archive.orkl.eu/6d9afcf3dfc130ce1069d8165df1da352694597d.jpg"
	}
}