{ "id": "47ff1dd1-890a-476b-bd66-f75485d20895", "created_at": "2026-04-06T00:18:53.317288Z", "updated_at": "2026-04-10T13:11:35.668031Z", "deleted_at": null, "sha1_hash": "90edeb7da9a6f323e039cf3fe0cf5245c43c0b9a", "title": "Black Basta Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 735167, "plain_text": "Black Basta Ransomware\r\nPublished: 2022-05-06 · Archived: 2026-04-05 23:09:06 UTC\r\nNew ransomware variant targeting high-value organizations\r\nA new ransomware group has emerged and has been highly active since April 2022, targeting multiple high-value\r\norganizations. Among other notable attacks, the Black Basta gang is also responsible for a data leak targeting a\r\npopular Dental Association. The gang extracted around 2.8 GB of data in this attack.\r\nThe ransomware appends extension .basta at the end of encrypted files. Cyble Research Labs identified a total of 18\r\nglobal victims of the Black Basta ransomware, with the largest number of victims based in the US. The following\r\nimage shows the victims based on country.\r\nFigure 1 – Regions Targeted by the Black Basta Ransomware\r\nWe have prepared a breakdown of the industries targeted by the Black Basta ransomware in the figure below. As we\r\ncan see, the ransomware gang primarily targets the construction and manufacturing industries.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 1 of 10\n\nFigure 2 – Industries Targeted by the Black Basta Ransomware\r\nThe ransomware is a console-based executable and can only be executed with administrator privileges. The static\r\nfile information of the Black Basta ransomware is shown below.\r\nFigure 3 – Static File Information of Ransomware Executable\r\nAfter execution, the ransomware deletes shadow copies from the infected system using vssadmin.exe. This action\r\nremoves the Windows backup so that after encryption victim cannot revert the system to its previous state. The\r\nfigure below shows the command in the ransomware binary.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 2 of 10\n\nFigure 4 – Ransomware Deleting Shadow Files\r\nThen ransomware drops two image files into the temp folder of the infected system, as shown in the figure below.\r\nFigure 5 – Ransomware Dropping Two Files\r\nThe ransomware then changes the desktop background wallpaper using the API systemparametersinfoW(). The file\r\n‘dlaksjdoiwq.jpg’ is used as the desktop background wallpaper by the ransomware.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 3 of 10\n\nFigure 6 – Ransomware Changing Desktop Wallpaper\r\nThe second file, ‘fkdjsadasd.ico,’ is used as a file icon for encrypted files with a .basta extension. Black Basta\r\nRansomware achieves this by creating a registry key, as shown below.\r\nFigure 7 – Registry Entry for File Icon of Encrypted Files\r\nAfter creating the registry entry, the ransomware hijacks the FAX service. It initially checks whether the service\r\nname FAX is present in the system. If present, it deletes the original and creates a new malicious service named\r\n‘FAX.’ The figure below shows the code snippets for the service hijack.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 4 of 10\n\nFigure 8 – Ransomware Changing FAX Service\r\nThe screenshot below compares the malicious and genuine Windows FAX services.\r\nFigure 9 – Malicious vs. Genuine Fax Service Properties\r\nThe ransomware then checks the boot options using GetSystemMetrics() API and then adds\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\Fax entry in the registry to start\r\nthe FAX service in safe mode. After completing all the customizations, the ransomware sets up the operating system\r\nto boot in safe mode using bcedit.exe, as shown in the figure below.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 5 of 10\n\nFigure 10 – Safe Boot Operation Performed by the Ransomware\r\nAfter performing system changes, the ransomware reboots the system using the ShellExecuteA() API, as shown in\r\nFigure 9.\r\nAfter rebooting, the FAX service launches and then initiates encryption and other ransomware processes.\r\nThe ransomware finds system volumes for file encryption using FindFirstVolumeW() and FindNextVolumeW() APIs\r\nand drops a readme.txt in any directories that it encounters. The figure below shows the APIs.  \r\nFigure 11 – Ransomware Finding Volume Information\r\nThe ransomware excludes the following list of files and folders from the encryption:\r\nRecycle.Bin\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 6 of 10\n\nWindows\r\nLocal Settings\r\nApplication Data\r\nOUT.txt\r\nboot\r\nreadme.txt\r\ndlaksjdoiwq.jpg\r\nNTUSER.DAT\r\nfkdjsadasd.ico\r\nFinally, the ransomware finds the files in the victims’ machine using the FindFirstFileW() and FindNextFileW()\r\nAPIs and encrypts them. The ransomware uses a multithreading approach for faster file encryption.\r\nThe figure below shows the infected system in safe mode and the encrypted files.\r\nFigure 12 – Infected System Started with Safe Mode\r\nThe following image shows the screenshot of the ransom note dropped by the ransomware.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 7 of 10\n\nFigure 13 – Ransom note Dropped by the Black Basta Ransomware\r\nAfter completing these operations, the ransomware reboots in normal mode, as shown in the figure below.\r\nFigure 14 – Ransomware Restarting in Normal Mode\r\nPossible Re-brand of Conti Ransomware:\r\nThe Threat Actors behind the ransomware share similarities with the Conti ransomware gang. Researchers attribute\r\nthe Black Basta ransomware to the TA behind Conti Ransomware based on the victim data leak site. The below\r\nimage shows the leak site of the Conti ransomware gang.\r\nFigure 15 – Conti Data Leak Blog Post\r\nBlack Basta ransomware data leak site.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 8 of 10\n\nFigure 16 – Black Basta Data Leak Blog Post\r\nAdditionally, Conti and Black Basta ransomware have the same victim recovery portals as well, as shown below.\r\nFigure 17 – Recovery Pages for Black Basta and Conti Ransomware Gangs\r\nConclusion:\r\nWith law enforcement agencies worldwide actively targeting ransomware gangs,  ransomware gang operators are\r\nalso evolving their TTPs to target new organizations. The Black Basta ransomware has multiple similarities with the\r\nConti ransomware group, indicating a possible connection between the Threat Actors.\r\nOrganizations and individuals should thus continue to follow industry best cybersecurity practices to secure\r\nthemselves and their firms.\r\nOur Recommendations: \r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nUse a reputed antivirus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 9 of 10\n\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nBlock URLs that could spread the malware, e.g., Torrent/Warez. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic Technique ID Technique Name\r\nExecution T1059 Command and Scripting Interpreter\r\nDefence Evasion\r\nT1112\r\nT1027\r\nT1562.001\r\nModify Registry\r\nObfuscated Files or Information\r\nImpair Defences: Disable or Modify Tools\r\nDiscovery\r\nT1082\r\nT1083\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nImpact\r\nT1490\r\nT1489\r\nT1486\r\nInhibit System Recovery \r\nService Stop\r\nData Encrypted for Impact\r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n3f400f30415941348af21d515a2fc6a3\r\nbd0bf9c987288ca434221d7d81c54a47e913600a\r\n5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa\r\nMd5  \r\nSHA-1 \r\nSHA-256  \r\neyqvn14ce.dll\r\n(Ransomware\r\nexecutable)\r\nSource: https://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nhttps://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/" ], "report_names": [ "black-basta-ransomware" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90edeb7da9a6f323e039cf3fe0cf5245c43c0b9a.pdf", "text": "https://archive.orkl.eu/90edeb7da9a6f323e039cf3fe0cf5245c43c0b9a.txt", "img": "https://archive.orkl.eu/90edeb7da9a6f323e039cf3fe0cf5245c43c0b9a.jpg" } }