{
	"id": "d81a2ade-57ef-4592-91ad-4a43a58dbd61",
	"created_at": "2026-04-10T03:20:32.912865Z",
	"updated_at": "2026-04-10T03:22:17.567097Z",
	"deleted_at": null,
	"sha1_hash": "aaf0612699ffb591f457564332a92b2b7754ec46",
	"title": "Stairwell threat report: Black Basta overview and detection rules - Stairwell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65770,
	"plain_text": "Stairwell threat report: Black Basta overview and detection rules -\r\nStairwell\r\nBy By Threat Research\r\nArchived: 2026-04-10 03:00:47 UTC\r\nStairwell Threat Team analysis of Black Basta ransomware\r\nThe Stairwell Threat Research Team has been closely tracking the recent attacks from the Black Basta\r\nransomware group against the US public health sector. First identified in April of 2022, Black Basta is a\r\nransomware-as-a-service operation that emerged following the collapse of Conti. So far, this ransomware group\r\nhas impacted hundreds of organizations, from construction to healthcare industries, since the group first emerged\r\nin 2022. Common tactics of Black Basta include spear-phishing, malicious PowerShell scripts (utilizing tools and\r\nother malware such as Cobalt Strike and Qakbot), and exfiltrating sensitive data.\r\nBlack Basta typically leverages double extortion tactics as part of their ransomware operations; this tactic involves\r\nattackers first exfiltrating data for potential future extortion, and then encrypting data locally on a target network.\r\nTypically, their ransom notes do not contain specifics of the demand – rather, victims are provided with a code and\r\nare directed to contact the group through a Tor browser. Victims are usually given between 10 and 12 days to pay\r\nthe ransom before their data is released on the Black Basta TOR site, Basta News.\r\nThe Stairwell team has written the following YARA rules to help organizations detect their presence and take the\r\nnecessary defensive and proactive measures to try to remediate Black Basta attacks. As Stairwell is based on\r\nproviding evasion-resistant security capabilities, which is a fundamental principle for our development, we are\r\nreleasing a number of YARA detection (see below) rules publicly to help organizations stay ahead of the threats\r\nposed by Black Basta. Stairwell customers and users can find copies of these rules under the Stairwell Research\r\nruleset.\r\nAbout Stairwell’s Threat Research Team\r\nThe Stairwell Threat Research Team consists of renowned threat researchers, incident responders, and cyber risk\r\nexperts with the common goal of proactively improving organizations’ cyber defenses against the latest threats.\r\nThe team continuously explores the threat landscape to uncover and gather the latest threat intelligence from\r\naround the globe. The findings from the Stairwell Threat Research Team are integrated into the Stairwell solution\r\nand often shared with the larger cybersecurity community.\r\nYARA rules\r\nrule BlackBasta_Ransomware_chat_site\r\n{\r\n meta:\r\nhttps://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nPage 1 of 5\n\nauthor = \"Stairwell Research Team\"\r\n description = \"Detection for the ransom chat site URL for BlackBasta ransomware\"\r\n hash = \"7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\"\r\n version = \"0.1\"\r\n strings:\r\n $ = \"aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion\"\r\n condition:\r\n all of them\r\n}\r\nrule BlackBasta_Ransomware_note\r\n{\r\n meta:\r\n author = \"Stairwell Research Team\"\r\n description = \"Detection for the ransom note in BlackBasta ransomware\"\r\n hash = \"7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\"\r\n version = \"0.1\"\r\n strings:\r\n $ = \"Your data are stolen and encrypted\"\r\n $ = \"The data will be published on TOR website if you do not pay the ransom\"\r\n $ = \"You can contact us and decrypt one file for free on this TOR site\"\r\n $ = \"(you should download and install TOR browser first https://torproject.org)\"\r\n $ = \"https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/\"\r\n $ = \"Your company id for log in: \"\r\n condition:\r\n 5 of them\r\n}\r\nrule BlackBasta_Ransomware2\r\n{\r\n meta:\r\n author= \"Stairwell Research Team\"\r\n description = \"Detection for BlackBasta Ransomware\"\r\n hash = \"7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\"\r\n version = \"0.1\"\r\n strings:\r\n $ = \"Done time: %.4f seconds, encrypted: %.4f gb\"\r\n $ = \"ERRRROR with file \"\r\n $ = \"C:\\\\Windows\\\\SysNative\\\\vssadmin.exe delete shadows /all /quiet\"\r\n $ = \"C:\\\\Windows\\\\System32\\\\vssadmin.exe delete shadows /all /quiet\"\r\n $ = \"Error 755: \"\r\n $ = \"%b %d %H : %M : %S %Y\"\r\n condition:\r\n 5 of them\r\n}\r\nhttps://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nPage 2 of 5\n\nrule BlackBasta_Ransomware {\r\n meta:\r\n author = \"Stairwell Research Team\"\r\n date = \"2024-05-14\"\r\n description = \"Black Basta\"\r\n hash_001 = \"203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b\"\r\n hash_002 = \"affcb453760dbc48b39f8d4defbcc4fc65d00df6fae395ee27f031c1833abada\"\r\n hash_003 = \"449d87ca461823bb85c18102605e23997012b522c4272465092e923802a745e9\"\r\n hash_004 = \"ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e\"\r\n hash_005 = \"50f45122fdd5f8ca05668a385a734a278aa126ded185c3377f6af388c41788cb\"\r\n hash_006 = \"7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\"\r\n hash_007 = \"d1949c75e7cb8e57f52e714728817ce323f6980c8c09e161c9e54a1e72777c13\"\r\n hash_008 = \"a54fef5fe2af58f5bd75c3af44f1fba22b721f34406c5963b19c5376ab278cd1\"\r\n hash_009 = \"cce74c82a718be7484abf7c51011793f2717cfb2068c92aa35416a93cbd13cfa\"\r\n hash_010 = \"d943a4aabd76582218fd1a9a0a77b2f6a6715b198f9994f0feae6f249b40fdf9\"\r\n hash_011 = \"dc56a30c0082145ad5639de443732e55dd895a5f0254644d1b1ec1b9457f04ff\"\r\n strings:\r\n $a_0 = \"(you should download and install TOR browser first https://torproject.org)\" ascii\r\n $a_1 = \"The data will be published on TOR website if you do not pay the ransom\" ascii\r\n $a_2 = \"You can contact us and decrypt one file for free on this TOR site\" ascii\r\n $a_3 = \"C:\\\\Windows\\\\SysNative\\\\vssadmin.exe delete shadows /all /quiet\" ascii\r\n $a_4 = \"C:\\\\Windows\\\\System32\\\\vssadmin.exe delete shadows /all /quiet\" ascii\r\n $a_5 = \"mpz_powm: Negative exponent and non-invertible base.\" ascii\r\n $a_6 = \".?AVfilesystem_error@filesystem@ghc@@\" ascii\r\n $a_7 = \"Your data are stolen and encrypted\" ascii\r\n $a_8 = \"serviceHub.testWindowstorehost.exe\" wide ascii\r\n $a_9 = \"serviceHub.dataWarehouseHost.exe\" wide ascii\r\n $a_10 = \"serviceHub.vsdetouredhost.exe\" wide ascii\r\n $a_11 = \"mpz_import: Nails not supported.\" ascii\r\n $a_12 = \"mpz_div_qr: Divide by zero.\" ascii\r\n $a_13 = \"serviceHub.host.clr.x64.exe\" wide ascii\r\n $a_14 = \"serviceHub.host.clr.exe\" wide ascii\r\n $a_15 = \"brokerinfrastructure\" wide\r\n $a_16 = \"mpz_powm: Zero modulo.\" ascii\r\n $a_17 = \"vsdebugconsole.exe\" wide ascii\r\n $a_18 = \"dlaksjdoiwq.jpg\" wide\r\n $a_19 = \"comsysapp\" wide\r\n $a_20 = \"vctip.exe\" wide ascii\r\n $a_21 = \"rOVdVGrd]d\" ascii\r\n $a_22 = \"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\":33333C3kf\" ascii\r\n $a_23 = \"GIMP built-in sRG\" wide\r\n $a_24 = \"6acspAPPL\" ascii\r\n $a_25 = \"lkXKg'9Kf\" ascii\r\n $a_26 = \" !AQaq0p@\" ascii\r\n $a_27 = \" !0Ap@`\\\"P\" ascii\r\n $a_28 = \"V\u0026kg(zHT\" ascii\r\nhttps://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nPage 3 of 5\n\n$a_29 = \".basta\" wide fullword\r\n $a_30 = \"dlaksjdoiwq.jpg\" wide fullword\r\n $a_31 = \"fkdjsadasd.ico\" wide fullword\r\n $a_32 = \"readme.txt\" wide fullword\r\n $a_33 = \".onion\"\r\n $c_2 = \"Done time: %.4f seconds, encrypted: %.4f gb\" wide ascii\r\n $c_3 = \"ERRRRRRRROr\" ascii\r\n $c_4 = \"Error 755: \" ascii\r\n condition:\r\n 8 of them\r\n}\r\nrule Blackbasta_linux {\r\n meta:\r\n author = \"Stairwell Research Team\"\r\n date = \"2024-05-15\"\r\n description = \"Linux Black Basta\"\r\n hash_001 = \"0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef\"\r\n hash_002 = \"96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be\"\r\n hash_003 = \"41b3d0d4419eac75017e76fe3bd76ec6a968cb68af4cf6335a27a196c47bac25\"\r\n hash_004 = \"1dff5e105493decfaa275720a822fadc57cca073f0d7eb3a11ad9efbb306985d\"\r\n hash_005 = \"d144b61c0626989039aa5eb56bd7d276a22959aeb19d1610cd35359a2ee85dc1\"\r\n strings:\r\n $a_1 = \"(you should download and install TOR browser first https://torproject.org)\" ascii\r\n $a_2 = \"The data will be published on TOR website if you do not pay the ransom\" ascii\r\n $a_3 = \"https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/\" ascii\r\n $a_4 = \"You can contact us and decrypt one file for free on this TOR site\" ascii\r\n $a_5 = \"mpz_rootrem: Negative argument, with even root.\" ascii\r\n $a_6 = \"Your data are stolen and encrypted\" ascii\r\n $a_7 = \"C:/Users/dssd/Desktop/src\" ascii\r\n $a_8 = \"CandiesPlus.cpp\" ascii\r\n $a_9 = \"lockedWallpaper\" ascii\r\n $a_10 = \"forcedPath\" ascii\r\n $a_11 = \"/vmfs/volumes\" ascii\r\n $b_1 = \"Done time: %.4f seconds, encrypted: %.4f gb\" ascii\r\n $b_2 = \"Your company id for log in: \" ascii\r\n condition:\r\n uint32(0) == 1179403647 and 8 of them\r\n}\r\nhttps://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nPage 4 of 5\n\nrule Blackbasta_note\r\n{\r\n meta:\r\n author=\"Stairwell Research Team\"\r\n date=\"2024-05-14\"\r\n description=\"Black Basta ransom note rule\"\r\n hash=\"7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a\"\r\n hash=\"8dacc4d09d9c9cfd16b98f215b9925f8e741b51dc49fe2af3d705760a73189fe\"\r\n hash=\"15cd31ba6bd53f177ef700e93333e093d6ece9eece16848bee7b33eb267d4ee2\"\r\n hash=\"ce180470d48a569c1f87fbfee0cf41b9842a1f69eb040f437bb90e06c7040b82\"\r\n strings:\r\n $a1 = \"You can contact us and decrypt one file for free on these TOR sites\"\r\n $a2 = \"Decryption ID: \"\r\n $a3 = \"The data will be published on TOR website \"\r\n $a4 = \"Your data are stolen and encrypted\"\r\n $a5 = \"Your company id for log in: \"\r\n $a6 = \"(you should download and install TOR browser first https://torproject.org)\"\r\n $a7 = \"The data will be published on TOR website if you do not pay the ransom\"\r\n condition:\r\n 4 of them\r\n}\r\nRecommended reading\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a\r\nMay 10, 2024 – #StopRansomware: Black Basta\r\nhttps://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/\r\nMay 10, 2024 – Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators\r\nhttps://www.ic3.gov/Media/News/2024/240511.pdf\r\nMay 10, 2024 – #StopRansomware: Black Basta\r\nSource: https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nhttps://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/"
	],
	"report_names": [
		"stairwell-threat-report-black-basta-overview-and-detection-rules"
	],
	"threat_actors": [],
	"ts_created_at": 1775791232,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aaf0612699ffb591f457564332a92b2b7754ec46.pdf",
		"text": "https://archive.orkl.eu/aaf0612699ffb591f457564332a92b2b7754ec46.txt",
		"img": "https://archive.orkl.eu/aaf0612699ffb591f457564332a92b2b7754ec46.jpg"
	}
}