{ "id": "d506e7a7-37f9-4b0f-b316-85b2d01c9938", "created_at": "2026-04-06T00:14:58.046066Z", "updated_at": "2026-04-10T13:11:42.13862Z", "deleted_at": null, "sha1_hash": "a300dd52dd9e5b3082b657768eaf75e67a3f8655", "title": "#StopRansomware: Black Basta | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 150858, "plain_text": "#StopRansomware: Black Basta | CISA\r\nPublished: 2024-11-08 · Archived: 2026-04-05 15:27:30 UTC\r\n1. Install updates for operating systems, software, and firmware as soon as they are released.\r\n2. Require phishing-resistant MFA for as many services as possible.\r\n3. Train users to recognize and report phishing attempts.\r\nSummary\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish\r\nadvisories for network defenders that detail various ransomware variants and ransomware threat actors. These\r\n#StopRansomware advisories include recently and historically observed tactics, techniques, and procedures\r\n(TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit\r\nstopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats\r\nand no-cost resources.\r\nNote: Updates to this advisory, originally published May 10, 2024, include:\r\nNovember 8, 2024: The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as\r\nwell as provide current IOCs/remove outdated IOCs for effective threat hunting.\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department\r\nof Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC)\r\n(hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black\r\nBasta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical\r\ninfrastructure sectors, including the Healthcare and Public Health (HPH) Sector.\r\nThis joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta\r\nis considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta\r\naffiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and\r\nAustralia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.\r\nBlack Basta affiliates use common initial access techniques—such as phishing and exploiting known\r\nvulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data.\r\nRansom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes\r\nprovide victims with a unique code and instructs them to contact the ransomware group via a .onion URL\r\n(reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the\r\nransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.\r\nUpdate November 8, 2024:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 1 of 11\n\nRecent techniques include email bombing—a tactic used to send a large volume of spam emails—to aid social\r\nengineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring\r\nand management (RMM) tools.\r\nUpdate End\r\nHealthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence,\r\naccess to personal health information, and unique impacts from patient care disruptions. The authoring\r\norganizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the\r\nMitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware\r\nattacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the\r\nReporting section for contact information).\r\nDownload the PDF version of this report:\r\nFor a downloadable list of IOCs, see:\r\nFor a downloadable list of previously published IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 16. See the MITRE\r\nATT\u0026CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK®\r\ntactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework,\r\nsee CISA and MITRE ATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nInitial Access\r\nBlack Basta affiliates primarily use spearphishing [T1566 ] to obtain initial access. According to cybersecurity\r\nresearchers, affiliates have also used Qakbot during initial access.[1 ]\r\nStarting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709\r\n[CWE-288 ] [T1190 ]. In some instances, affiliates have been observed abusing valid credentials [T1078 ].\r\nUpdate November 8, 2024:\r\nIn May 2024, Black Basta affiliates launched a social engineering campaign in which targeted users were sent a\r\nlarge volume of spam email, often from legitimate sources like website registrations, email subscriptions, and\r\nother marketing content. Black Basta affiliates would subsequently call the victim, act as technical support, and\r\noffer to fix the issue [T1566.004 ]. During this process, the actors requested the victim users download a tool for\r\nremote access, such as AnyDesk or Microsoft’s Quick Assist [T1204 ].\r\nIn October 2024, this social engineering campaign incorporated the use of Microsoft Teams to contact victims.\r\nBlack Basta affiliated operators would message the victims from legitimate Microsoft Teams accounts from\r\nexternal organizations, posing as technical support to resolve the email spam issues. Threat actor follow-on\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 2 of 11\n\nobjectives remained the same; Black Basta affiliates requested victim users to download tools for allowing remote\r\naccess.\r\nUpdate End\r\nDiscovery and Execution\r\nBlack Basta affiliates use tools such as SoftPerfect network scanner ( netscan.exe ) to conduct network scanning.\r\nCybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file\r\nnames such as Intel or Dell , left in the root drive C:\\ [T1036 ].[1 ]\r\nPrivilege Escalation\r\nBlack Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to\r\ncybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472 [CWE-330 ]),\r\nNoPac (CVE-2021-42278 [CWE-20 ] and CVE-2021-42287 [CWE-269 ]), and PrintNightmare (CVE-2021-\r\n34527 [CWE-269 ]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068 ].[1 ],\r\n[2 ]\r\nLateral Movement\r\nBlack Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for\r\nlateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to\r\nassist with remote access and lateral movement.\r\nExfiltration and Encryption\r\nBlack Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration,\r\ncybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001 ] to disable\r\nantivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection\r\nand response (EDR) tooling [T1562.001 ].[3 ] Once antivirus programs are terminated, a ChaCha20 algorithm\r\nwith an RSA-4096 public key fully encrypts files [T1486 ]. A .basta or otherwise random file extension is\r\nadded to file names and a ransom note titled readme.txt is left on the compromised system.[4 ] To further\r\ninhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490 ].[5\r\n]\r\nLeveraged Tools\r\nSee Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate\r\ntools repurposed for their operations.\r\nTable 1: Tools Used by Black Basta Affiliates\r\nTool Name Description\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 3 of 11\n\nTool Name Description\r\nAnyDesk\r\nA remote monitoring and management tool used by Black Basta affiliates to gain access\r\nto a victim user’s endpoint.\r\nMicrosoft\r\nTeams\r\nA messaging application used within organizations and maliciously used by Black Basta\r\naffiliates to contact employees.\r\nMicrosoft Quick\r\nAssist\r\nA remote monitoring and management tool used by Black Basta affiliates to gain access\r\nto a victim user’s endpoint.\r\nBITSAdmin\r\nA command-line utility that manages downloads/uploads between a client and server by\r\nusing the Background Intelligent Transfer Service (BITS) to perform asynchronous file\r\ntransfers.\r\nCobalt Strike\r\nA penetration testing tool used by security professions to test the security of networks and\r\nsystems. Black Basta affiliates have used it to assist with lateral movement and file\r\nexecution.\r\nMimikatz\r\nA tool that allows users to view and save authentication credentials such as Kerberos\r\ntickets. Black Basta affiliates have used it to aid in privilege escalation.\r\nPSExec A tool designed to run programs and execute commands on remote systems.\r\nPowerShell\r\nA cross-platform task automation solution made up of a command-line shell, a scripting\r\nlanguage, and a configuration management framework, which runs on Windows, Linux,\r\nand macOS.\r\nRClone A command line program used to sync files with cloud storage services such as Mega.\r\nSoftPerfect\r\nA network scanner ( netscan.exe ) used to ping computers, scan ports, discover shared\r\nfolders, and retrieve information about network devices via Windows Management\r\nInstrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure\r\nShell (SSH) and PowerShell. It also scans for remote services, registry, files, and\r\nperformance counters. \r\nScreenConnect\r\nRemote support, access, and meeting software that allows users to control devices\r\nremotely over the internet.\r\nSplashtop\r\nRemote desktop software that allows remote access to devices for support, access, and\r\ncollaboration.\r\nWinSCP\r\nWindows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer\r\nProtocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates\r\nhave used it to transfer data from a compromised network to actor-controlled accounts.\r\nDiscovery and Execution\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 4 of 11\n\nBlack Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning.\r\nCybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file\r\nnames such as Intel or Dell, left in the root drive C:\\ [T1036 ].[1 ]\r\nPrivilege Escalation\r\nBlack Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to\r\ncybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472 [CWE-330 ]),\r\nNoPac (CVE-2021-42278 [CWE-20 ] and CVE-2021-42287 [CWE-269 ]), and PrintNightmare (CVE-2021-\r\n34527 [CWE-269 ]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068 ].[1 ],\r\n[2 ]\r\nLateral Movement\r\nBlack Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for\r\nlateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to\r\nassist with remote access and lateral movement.\r\nExfiltration and Encryption\r\nBlack Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration,\r\ncybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001 ] to disable\r\nantivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection\r\nand response (EDR) tooling [T1562.001 ].[3 ] Once antivirus programs are terminated, a ChaCha20 algorithm\r\nwith an RSA-4096 public key fully encrypts files [T1486 ]. A .basta or otherwise random file extension is added\r\nto file names and a ransom note titled readme.txt is left on the compromised system.[4 ] To further inhibit\r\nsystem recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490 ].[5 ]\r\nLeveraged Tools\r\nSee Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate\r\ntools repurposed for their operations.\r\nDisclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence\r\nto support threat actor use and/or control. Black Basta affiliates were observed using these legitimate tools for\r\nintended malicious purposes.\r\nTable 1: Tools Used by Black Basta Affiliates\r\nTool Name Description\r\nAnyDesk\r\nA remote monitoring and management tool used by Black Basta affiliates to gain access\r\nto a victim user’s endpoint.\r\nMicrosoft\r\nTeams\r\nA messaging application used within organizations and maliciously used by Black Basta\r\naffiliates to contact employees.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 5 of 11\n\nTool Name Description\r\nMicrosoft Quick\r\nAssist\r\nA remote monitoring and management tool used by Black Basta affiliates to gain access\r\nto a victim user’s endpoint.\r\nBITSAdmin\r\nA command-line utility that manages downloads/uploads between a client and server by\r\nusing the Background Intelligent Transfer Service (BITS) to perform asynchronous file\r\ntransfers.\r\nCobalt Strike\r\nA penetration testing tool used by security professions to test the security of networks and\r\nsystems. Black Basta affiliates have used it to assist with lateral movement and file\r\nexecution.\r\nMimikatz\r\nA tool that allows users to view and save authentication credentials such as Kerberos\r\ntickets. Black Basta affiliates have used it to aid in privilege escalation.\r\nPSExec A tool designed to run programs and execute commands on remote systems.\r\nPowerShell\r\nA cross-platform task automation solution made up of a command-line shell, a scripting\r\nlanguage, and a configuration management framework, which runs on Windows, Linux,\r\nand macOS.\r\nRClone A command line program used to sync files with cloud storage services such as Mega.\r\nSoftPerfect\r\nA network scanner (netscan.exe) used to ping computers, scan ports, discover shared\r\nfolders, and retrieve information about network devices via Windows Management\r\nInstrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure\r\nShell (SSH) and PowerShell. It also scans for remote services, registry, files, and\r\nperformance counters. \r\nScreenConnect\r\nRemote support, access, and meeting software that allows users to control devices\r\nremotely over the internet.\r\nSplashtop\r\nRemote desktop software that allows remote access to devices for support, access, and\r\ncollaboration.\r\nWinSCP\r\nWindows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer\r\nProtocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates\r\nhave used it to transfer data from a compromised network to actor-controlled accounts.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 2: Black Basta ATT\u0026CK Techniques for Initial Access\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 6 of 11\n\nTechnique Title ID Use\r\nPhishing T1566\r\nBlack Basta affiliates have used spearphishing emails to obtain\r\ninitial access.\r\nPhishing:\r\nSpearphishing Voice\r\nT1566.004 Black Basta affiliates have used spearphishing phone and\r\nMicrosoft Teams calls to trick users into providing initial access.\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nBlack Basta affiliates have exploited ConnectWise vulnerability\r\nCVE-2024-1709 to obtain initial access.\r\nTable 3: Black Basta ATT\u0026CK Techniques for Privilege Escalation\r\nTechnique Title ID Use\r\nExploitation for\r\nPrivilege Escalation\r\nT1068\r\nBlack Basta affiliates have used credential scraping tools like\r\nMimikatz, Zerologon, NoPac and PrintNightmare for privilege\r\nescalation.\r\nTable 4: Black Basta ATT\u0026CK Techniques for Defense Evasion\r\nTechnique Title ID Use\r\nMasquerading T1036\r\nBlack Basta affiliates have conducted reconnaissance using\r\nutilities with innocuous file names, such as Intel or Dell, to\r\nevade detection.\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nT1562.001\r\nBlack Basta affiliates have deployed a tool called Backstab to\r\ndisable endpoint detection and response (EDR) tooling.\r\nBlack Basta affiliates have used PowerShell to disable antivirus\r\nproducts.\r\nTable 5: Black Basta ATT\u0026CK Techniques for Execution\r\nTechnique Title ID Use\r\nUser Execution T1204\r\nBlack Basta affiliates have used social engineering techniques to\r\nconvince users to execute legitimate remote access tools such as\r\nAnyDesk and Microsoft’s Quick Assist.\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nT1059.001 Black Basta affiliates have used PowerShell to disable antivirus\r\nproducts.\r\nTable 6: Black Basta ATT\u0026CK Techniques for Impact\r\nTechnique Title ID Use\r\nInhibit System\r\nRecovery\r\nT1490 Black Basta affiliates have used the vssadmin.exe program to delete\r\nshadow copies. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 7 of 11\n\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486\r\nBlack Basta affiliates have used a public key to fully encrypt files. \r\nIndicators of Compromise\r\nUpdate November 8, 2024:\r\nMany indicators provided in this advisory’s initial publication have been removed considering they are outdated.\r\nFor historic reference, see AA24-131A #StopRansomware: Black Basta (Initial Version).\r\nThe IOCs listed in Tables 7–8 were obtained from trusted third-party reporting and are considered most current.\r\nDisclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to\r\ntaking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and\r\nsome IP addresses may host valid domains.\r\nTable 7: Network Indicators\r\nIP Address First Seen Description\r\n170.130.165[.]73 October 14, 2024 Likely Cobalt Strike infrastructure\r\n45.11.181[.]44 October 24, 2024 Likely Cobalt Strike infrastructure\r\n66.42.118[.]54 October 15, 2024 Exfiltration server\r\n79.132.130[.]211 October 24, 2024 Likely Cobalt Strike infrastructure\r\nTable 8: Suspected Black Basta Cobalt Strike Domains\r\nDomain First Seen\r\nMoereng[.]com   October 9, 2024\r\nExckicks[.]com October 2, 2024\r\nUpdate End\r\nMitigations\r\nThe authoring organizations recommend all critical infrastructure organizations implement the mitigations below\r\nto improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with\r\nthe Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of\r\nStandards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and\r\nNIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity\r\nframeworks and guidance to protect against the most common and impactful threats, tactics, techniques, and\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 8 of 11\n\nprocedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs,\r\nincluding additional recommended baseline protections.\r\nInstall updates for operating systems, software, and firmware as soon as they are released [CPG 1.E].\r\nPrioritize updating Known Exploited Vulnerabilities (KEV).\r\nRequire phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as\r\npossible.\r\nImplement recommendations, including training users to recognize and report phishing\r\nattempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.\r\nSecure remote access software by applying mitigations from joint Guide to Securing Remote Access\r\nSoftware.\r\nMake backups of critical systems and device configurations [CPG 2.R] to enable devices to be repaired\r\nand restored.\r\nApply mitigations from the joint #StopRansomware Guide.\r\nThe authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure\r\norganizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH\r\nCybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against\r\norganizations. Recommendations include the following:\r\nAsset Management and Security: Cybersecurity professionals should identify and understand all\r\nrelationships or interdependencies, functionality of each asset, what it exposes, and what software is\r\nrunning to ensure critical data and systems are protected appropriately. HPH Sector organizations should\r\nensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and\r\nAccountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive\r\nprocesses, or a combination of both techniques.\r\nEmail Security and Phishing Prevention: Organizations should install modern anti-malware software and\r\nautomatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and\r\nWeb Security Guide.\r\nCheck for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link\r\nitself. This can be achieved by hovering your cursor over the link to view the URL of the website to be\r\naccessed.\r\nAccess Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the\r\nequation to help thwart social engineering scams and targeted phishing attacks that may have been\r\nsuccessful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web\r\nAuthentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication.\r\nPrioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative\r\naccounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing\r\nPhishing-Resistant MFA Guide.\r\nVulnerability Management and Assessment: Once vulnerabilities are identified across your environment,\r\nevaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk\r\nstrategy. To assist with prioritization, it is essential to:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 9 of 11\n\nMap your assets to business-critical functions. For vulnerability remediation, prioritize assets that are\r\nmost critical for ongoing operations or which, if affected, could impact your organization’s business\r\ncontinuity, sensitive PII (or PHI) security, reputation, or financial position.\r\nUse threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat\r\nactors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds.\r\nLeverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System\r\n(CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS)\r\nmeasures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize.\r\nCISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to\r\nprioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation\r\nstatus, technical impact, mission prevalence, and impacts to safety and public-wellbeing.\r\nValidate Security Controls\r\nIn addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating\r\nyour organization’s security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. The authoring organizations recommend testing your existing security controls\r\ninventory to assess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Tables 2-6).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe authoring organizations recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nReferences\r\n1. SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat\r\nActor\r\n2. Trend Micro: Ransomware Spotlight - Black Basta\r\n3. Kroll: Black Basta - Technical Analysis\r\n4. Who Is Black Basta? (blackberry.com)\r\n5. Palo Alto Networks: Threat Assessment - Black Basta Ransomware\r\nReporting\r\nYour organization has no obligation to respond or provide information back to FBI in response to this joint CSA.\r\nIf, after reviewing the information provided, your organization decides to provide information to FBI, reporting\r\nmust be consistent with applicable state and federal laws.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 10 of 11\n\nFBI is interested in any information that can be shared, to include boundary logs showing communication to and\r\nfrom foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information,\r\ndecryptor files, and/or a benign sample of an encrypted file.\r\nAdditional details of interest include: a targeted company point of contact, status and scope of infection, estimated\r\nloss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and\r\nnetwork-based indicators.\r\nFBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be\r\nrecovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage\r\nother criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of\r\nwhether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report\r\nransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the\r\nagency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]).\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and\r\nMS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or\r\nservices linked within this document. Any reference to specific commercial entities, products, processes, or\r\nservices by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement,\r\nrecommendation, or favoring by FBI, CISA, HHS, and MS-ISAC.\r\nVersion History\r\nMay 10, 2024: Initial version.\r\nNovember 8, 2024: Updates noted throughout.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a" ], "report_names": [ "aa24-131a" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a300dd52dd9e5b3082b657768eaf75e67a3f8655.pdf", "text": "https://archive.orkl.eu/a300dd52dd9e5b3082b657768eaf75e67a3f8655.txt", "img": "https://archive.orkl.eu/a300dd52dd9e5b3082b657768eaf75e67a3f8655.jpg" } }