{
	"id": "951347d8-4100-4860-acc2-171dad4f3fee",
	"created_at": "2026-04-06T00:10:51.740077Z",
	"updated_at": "2026-04-10T13:12:03.176424Z",
	"deleted_at": null,
	"sha1_hash": "b3348d52348c4340e15850cd6871304b83983320",
	"title": "Threat Assessment: Black Basta Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 828229,
	"plain_text": "Threat Assessment: Black Basta Ransomware\r\nBy Amer Elsad\r\nPublished: 2022-08-25 · Archived: 2026-04-05 19:33:49 UTC\r\nExecutive Summary\r\nBlack Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that\r\nit has been in development since February. The Black Basta operator(s) use the double extortion technique,\r\nmeaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to\r\nmake decryption possible, they also maintain a dark web leak site where they threaten to post sensitive\r\ninformation if an organization chooses not to pay ransom.\r\nBlack Basta affiliates have been very active deploying Black Basta and extorting organizations since the\r\nransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of\r\nmonths, based on the information posted on their leak site, they have compromised over 75 organizations at the\r\ntime of this publication. Unit 42 has also worked on several Black Basta incident response cases.\r\nThe ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data\r\nusing a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware\r\nencrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The\r\nfaster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It\r\nis a key factor affiliates look for when joining a Ransomware-as-a-Service group.\r\nPalo Alto Networks customers receive help with detection and prevention of Black Basta ransomware through the\r\nfollowing products and services: Cortex XDR and Next-Generation Firewalls (including cloud-delivered security\r\nservices such as WildFire).\r\nIf you think you may have been impacted by a cyber incident, the Unit 42 Incident Response team is available\r\n24/7/365. You can also take preventative steps by requesting any of our cyber risk management services.\r\nBlack Basta Overview\r\nBlack Basta is ransomware as a service (RaaS) that leverages double extortion as part of its attacks. The attackers\r\nnot only execute ransomware but also exfiltrate sensitive data and threaten to release it publicly if the ransom\r\ndemands are not met. The threat actors behind the ransomware deploy a name-and-shame approach to their victim,\r\nwhere they use a Tor site, Basta News, to list all of the victims who have not paid the ransom.\r\nAlthough the Black Basta RaaS has only been active for a couple of months, according to its leak site, it had\r\ncompromised over 75 organizations at the time of this publication. At least 20 victims were posted to its leak site\r\nin the first two weeks of the ransomware’s operation, which indicates the group likely is experienced in the\r\nransomware business and has a steady source of initial access.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 1 of 13\n\nIt is also possible that this is not a new operation but rather a rebrand of a previous ransomware group that brought\r\nalong their affiliates. Based on multiple similarities in tactics, techniques and procedures (TTPs) - victim-shaming\r\nblogs, recovery portals, negotiation tactics, and how quickly Black Basta amassed its victims - that the Black\r\nBasta group could include current or former members of the Conti group.\r\nUnit 42 has observed the Black Basta ransomware group using QBot as an initial point of entry and to move\r\nlaterally in compromised networks. QBot, also known as Qakbot, is a Windows malware strain that started as a\r\nbanking trojan and evolved into a malware dropper. It has been used by other ransomware groups, including\r\nMegaCortex, ProLock, DoppelPaymer and Egregor. While these ransomware groups used QBot for initial access,\r\nthe Black Basta group was observed using it for both initial access and to spread laterally throughout the network.\r\nFigure 1 below shows the standard attack lifecycle observed with Black Basta ransomware.\r\nFigure 1. Black Basta attack lifecycle based on Unit 42 incident response cases.\r\nTechnical Details\r\nBlack Basta is written in C++ and is cross-platform ransomware that impacts both Windows and Linux systems.\r\nIn June 2022, a VMware ESXi variant of Black Basta was observed targeting virtual machines running on\r\nenterprise Linux servers.\r\nThe ransomware includes anti-analysis techniques that attempt to detect code emulation or sandboxing to avoid\r\nvirtual/analysis machine environments. It also supports the command line argument -forcepath that is used to\r\nencrypt files in a specified directory. Otherwise, the entire system, except for certain critical directories, is\r\nencrypted.\r\nThe ransomware spawns a mutex with a string of dsajdhas.0 to ensure a single instance of the malware is running\r\nat a time. Then it will iterate through the entire file system, encrypting files with a file extension of .basta.\r\nBlack Basta ransomware encrypts users’ data through a combination of ChaCha20 and RSA-4096. To speed up the\r\nencryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted\r\nbetween the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files\r\nusing vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and\r\ncopies stable images for backups on running systems.\r\nIt writes the Random-letters.ico and Random-letters.jpg files to the %TEMP% directory. The .jpg file is leveraged\r\nto overwrite the desktop background and appears as follows:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 2 of 13\n\nFigure 2. Black Basta desktop wallpaper.\r\nIt adds a custom icon to the registry, corresponding to the .basta icon, which is shown in Figure 3.\r\nFigure 3. Black Basta icon.\r\nIt will then boot the system in safe mode and proceed to encrypt files. Following successful encryption, the file’s\r\nextension is changed to .basta and the ransomware will write numerous instances of readme.txt, which contains\r\nthe following ransom note:\r\nFigure 4. Black Basta ransom note.\r\nTactics, Techniques and Procedures\r\nWe have observed Black Basta affiliates leveraging the following TTPs:\r\nTactic / Technique Notes\r\nTA0001 Initial Access\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 3 of 13\n\nT1566.001. Phishing: Spear\r\nphishing Attachment\r\nVictims receive spear phishing emails with attached malicious zip files -\r\ntypically password protected. That contains malicious doc including\r\n.doc, .pdf, .xls\r\nTA0002 Execution\r\nT1569.002. System Services:\r\nService Execution\r\nBlack Basta has installed and used PsExec to execute payloads on\r\nremote hosts.\r\nT1047. Windows Management\r\nInstrumentation\r\nUtilizes Invoke-TotalExec to push out the ransomware binary.\r\nT1059.001. Command and\r\nScripting Interpreter: PowerShell\r\nBlack Basta has encoded PowerShell scripts to download additional\r\nscripts.\r\nTA0003 Persistence\r\nT1136. Create Account\r\nBlack Basta threat actors created accounts with names such as temp, r, or\r\nadmin.\r\nT1098. Account Manipulation\r\nAdded newly created accounts to the administrators' group to maintain\r\nelevated access.\r\nT1543.003. Create or Modify\r\nSystem Process: Windows\r\nService\r\nCreates benign-looking services for the ransomware binary.\r\nT1574.001. Hijack Execution\r\nFlow: DLL Search Order\r\nHijacking\r\nBlack Basta used Qakbot, which has the ability to exploit Windows 7\r\nCalculator to execute malicious payloads.\r\nTA0004 Privilege Escalation\r\nT1484.001. Domain Policy\r\nModification: Group Policy\r\nModification\r\nBlack Basta can modify group policy for privilege escalation and\r\ndefense evasion.\r\nT1574.001. Hijack Execution\r\nFlow: DLL Search Order\r\nHijacking\r\nBlack Basta used Qakbot, which has the ability to exploit Windows 7\r\nCalculator to execute malicious payloads.\r\nT1543.003. Create or Modify\r\nSystem Process: Windows\r\nService\r\nCreates benign-looking services for the ransomware binary.\r\nTA0005 Defense Evasion\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 4 of 13\n\nT1484.001. Domain Policy\r\nModification: Group Policy\r\nModification\r\nBlack Basta can modify group policy for privilege escalation and\r\ndefense evasion.\r\nT1218.010. System Binary Proxy\r\nExecution: Regsvr32\r\nBlack Basta has used regsvr32.exe to execute a malicious DLL.\r\nT1070.004. Indicator Removal on\r\nHost: File Deletion\r\nAttempts to delete malicious batch files.\r\nT1112. Modify Registry Black Basta makes modifications to the Registry.\r\nT1140. Deobfuscate/Decode Files\r\nor Information\r\nInitial malicious .zip file bypasses some antivirus detection due to\r\npassword protection.\r\nT1562.001. Impair Defenses:\r\nDisable or Modify Tools\r\nDisables Windows Defender with batch scripts, such as d.bat or\r\ndefof.bat.\r\nT1562.004. Impair Defenses:\r\nDisable or Modify System\r\nFirewall\r\nUses batch scripts, such as rdp.bat or SERVI.bat, to modify the firewall\r\nto allow remote administration and RDP.\r\nT1562.009. Impair Defenses:\r\nSafe Boot Mode\r\nUses bcdedit to boot the device in safe mode.\r\nT1574.001. Hijack Execution\r\nFlow: DLL Search Order\r\nHijacking\r\nBlack Basta used Qakbot, which has the ability to exploit Windows 7\r\nCalculator to execute malicious payloads.\r\nT1622. Debugger Evasion Uses IsDebuggerPresent to check if processes are being debugged.\r\nTA0006 Credential Access\r\nT1555. Credentials from\r\nPassword Stores\r\nBlack Basta uses Mimikatz to dump passwords.\r\nTA0007 Discovery\r\nT1087.002. Account Discovery:\r\nDomain Account\r\nUsed commands such as net user /domain and net group /domain.\r\nT1016. System Network\r\nConfiguration Discovery\r\nLists internal IP addresses to target in C:\\Windows\\pc_list.txt – typically\r\nfound on the Domain Controller.\r\nT1082. System Information\r\nDiscovery\r\nUses GetComputerName to query the computer name.\r\nT1622. Debugger Evasion Uses IsDebuggerPresent to check if processes are being debugged.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 5 of 13\n\nTA0008 Lateral Movement\r\nT1021.001. Remote Services:\r\nRemote Desktop Protocol\r\nBlack Basta has used RDP for lateral movement.\r\nTA0009 Collection\r\nT1560.001. Archive Collected\r\nData: Archive via Utility\r\nTA0010 Exfiltration\r\nT1567. Exfiltration over Web\r\nService\r\nTA0011 Command and Control\r\nT1219. Remote Access Software\r\nBlack Basta has installed and used legitimate tools such as TeamViewer\r\nand AnyConnect on targeted systems.\r\nT1573. Encrypted Channel Uses Qakbot primarily and Cobalt Strike.\r\nTA0040 Impact\r\nT1486. Data Encrypted for\r\nImpact\r\nBlack Basta modifies the Desktop background by adding a .jpg in\r\nC:\\Temp and creating a registry key HKCU\\Control Panel\\Desktop.\r\nAdditionally modifies the registry to change the icon of encrypted files.\r\nIt encrypts files excluding those with a .exe, .cmd, .bat and .com\r\nextension. Uses ChaCha20 or RSA-4096 to encrypt victims.\r\nT1489. Service Stop Uses sc stop and taskkill to stop services.\r\nT1490. Inhibit System Recovery Black Basta deletes Volume Shadow Copies using vssadmin.\r\nTable 1. Tactics, techniques and procedures for Black Basta activity.\r\nVictimology\r\nThe ransomware group and its affiliate program reportedly compromised multiple large organizations, in sectors\r\nincluding consumer and industrial products; energy, resources and agriculture; manufacturing; utilities;\r\ntransportation; government agencies; professional services and consulting; and real estate.\r\nBlack Basta operators also posted on dark web forums expressing interest in attacking organizations based in\r\nAustralia, Canada, New Zealand, the U.K. and the U.S. Threat actors using the ransomware impacted\r\norganizations based in the U.S., Germany, Switzerland, Italy, France and the Netherlands (listed in descending\r\norder by numbers of allegedly breached organizations).\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 6 of 13\n\nFigure 5. Black Basta post on dark web forums.\r\nThe threat actor(s) responsible for Black Basta operate a cybercrime marketplace and victim name-and-shame\r\nblog. This site is hosted as a Tor hidden service, where the Black Basta ransomware group lists their victims’\r\nnames, descriptions, percentage of stolen data which has been published, number of visits and any data exfiltrated.\r\nThere were 75 victims listed on the leak site at the time of writing.\r\nFigure 6. Black Basta News site where the threat actors post allegedly breached organizations\r\n(details redacted) and number of visits.\r\nCourses of Action\r\nSeveral adversarial techniques were observed in activity associated with Black Basta, and the following measures\r\nare suggested within Palo Alto Networks products and services to mitigate threats related to Black Basta\r\nransomware, as well as other malware using similar techniques:\r\nProduct / Service Course of Action\r\nInitial Access\r\nThe below courses of action mitigate the following techniques:\r\nSpear Phishing Attachment [T1566.001]\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 7 of 13\n\nTHREAT PREVENTION\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap'\r\nand 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nNEXT-GENERATION\r\nFIREWALLS\r\nSet up File Blocking\r\nCORTEX XDR PREVENT Configure Malware Security Profile\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook – Endpoint Malware Investigation\r\nDeploy XSOAR Playbook – Phishing Investigation – Generic V2\r\nExecution\r\nThe below courses of action mitigate the following techniques:\r\nService Execution [T1569.002], Windows Management Instrumentation [T1047], PowerShell [T1059.001]\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure remote access capabilities for the User-ID service account are\r\nforbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure that the User-ID service account does not have interactive logon\r\nrights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on\r\nTrusted Threat Intelligence Sources exists\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is\r\nenabled\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nCORTEX XDR PREVENT Configure Restrictions Security Profile\r\nPersistence, Privilege Escalation, Defense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 8 of 13\n\nCreate Account [T1136], Account Manipulation [T1098], Regsvr32 [T1218.010], File Deletion [T1070.004],\r\nDisable or Modify Tools [T1562.001], Modify Registry [T1112], Deobfuscate/Decode Files or Information\r\n[T1140], Disable or Modify System Firewall [T1562.004], Windows Service [T1543.003], DLL Search Order\r\nHijacking [T1574.001], Group Policy Modification [T1484.001]\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is\r\nenabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure that the User-ID service account does not have interactive logon\r\nrights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure remote access capabilities for the User-ID service account are\r\nforbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook – Access Investigation Playbook\r\nDeploy XSOAR Playbook – Block Account Generic\r\nDeploy XSOAR Playbook – Impossible Traveler\r\nCORTEX XDR PREVENT\r\nConfigure Host Firewall Profile\r\nEnable Anti-Exploit Protection\r\nConfigure Restrictions Security Profile\r\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nEnable Anti-Malware Protection\r\nCredential Access\r\nThe below courses of action mitigate the following techniques:\r\nCredentials from Password Stores [T1555]\r\nCORTEX XDR\r\nCortex XDR monitors for behavioral events and files associated with\r\ncredential access and exfiltration\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 9 of 13\n\nSystem Network Configuration Discovery [T1016], System Information Discovery [T1082], Domain Account\r\n[T1087.002]\r\nCORTEX XDR\r\nCortex XDR monitors for behavioral events along a causality chain to\r\nidentify discovery behaviors\r\nLateral Movement\r\nThe below courses of action mitigate the following techniques:\r\nRemote Desktop Protocol [T1021.001]\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nEnsure remote access capabilities for the User-ID service account are\r\nforbidden\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is\r\nenabled\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure that the User-ID service account does not have interactive logon\r\nrights\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned and set to appropriate actions\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on\r\nTrusted Threat Intelligence Sources exists\r\nCORTEX XDR PREVENT Configure Host Firewall Profile\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook – Access Investigation Playbook\r\nDeploy XSOAR Playbook – Block Account Generic\r\nCollection\r\nThe below courses of action mitigate the following techniques:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 10 of 13\n\nArchive via Utility [T1560.001]\r\nCORTEX XDR\r\nMonitors for behavioral events via BIOCs including the creation of zip\r\narchives\r\nCommand and Control\r\nThe below courses of action mitigate the following techniques:\r\nRemote Access Software [T1219], Encrypted Channel [T1573]\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook – PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook – Block URL\r\nDeploy XSOAR Playbook – Block IP\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure that the Certificate used for Decryption is Trusted\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on\r\nTrusted Threat Intelligence Sources Exists\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the Internet is\r\nconfigured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined\r\nfor servers using SSL or TLS\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nTHREAT PREVENTION Ensure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware\r\nprofiles in use\r\nEnsure a secure anti-spyware profile is applied to all security policies\r\npermitting traffic to the Internet\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap'\r\nand 'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware\r\nseverity levels, categories, and threats\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 11 of 13\n\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nURL FILTERING\r\nEnsure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the Internet\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the\r\nURL categories\r\nEnsure that access to every URL is logged\r\nImpact\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490]\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook – Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook – Palo Alto Networks Endpoint Malware\r\nInvestigation\r\nConclusion\r\nBlack Basta ransomware operators have been active since at least April 2022. Although their RaaS has only been\r\nactive for the past couple of months it had compromised at least 75 organizations at the time of this publication.\r\nDue to the high-profile nature and steady stream of Black Basta attacks identified globally in 2022, the operators\r\nand/or affiliates behind the service likely will continue to attack and extort organizations.\r\nPalo Alto Networks helps detect and prevent Black Basta ransomware in the following ways:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR:\r\nIdentifies indicators associated with Black Basta.\r\nAnti-Ransomware Module blocks Black Basta encryption behaviors on Windows.\r\nLocal Analysis detection for Black Basta binaries on Windows and Linux.\r\nBehavioral Threat Prevention prevents Black Basta behaviors.\r\nNext-Generation Firewalls: DNS Signatures detect the known C2 domains, which are also categorized as\r\nmalware in Advanced URL Filtering.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 12 of 13\n\nIndicators of compromise and Black Basta-associated TTPs can be found in the Black Basta ATOM.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware"
	],
	"report_names": [
		"threat-assessment-black-basta-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434251,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3348d52348c4340e15850cd6871304b83983320.pdf",
		"text": "https://archive.orkl.eu/b3348d52348c4340e15850cd6871304b83983320.txt",
		"img": "https://archive.orkl.eu/b3348d52348c4340e15850cd6871304b83983320.jpg"
	}
}