Demo
Black Basta Ransomware Is On The Rise - Talion

Ransomware gangs with creatively imaginative names dominate the cybersecurity space. The same names appear again and again, from Conti and Lockbit, to REvil ransomware.

Sometimes, however, a new ransomware gang gets thrown in the mix.

Over the past few months, that has been ‘Black Basta’ ransomware.

We’ve had a look at the Black Basta attack techniques, previous targets and suspicions of it hiding behind an experienced, already well-known ransomware operation.

 

Who Are Black Basta Ransomware?

Black Basta are a relatively new ransomware gang known for using a double extortion attack model and more recently leveraging QBot to move laterally on a compromised network. They have reportedly been active since April 2022, although some threat researchers claim February, due to the ransomware name “no_name_software” coinciding with two operations. In just a few weeks after launch, they’d already breached at least twelve companies and their expansion worldwide is only increasing.

Black Basta primarily target enterprises with the intention of stealing corporate data, encrypting it and demanding a ransom. Victim’s files and documents are published on the “Black Basta Blog” or “Basta News” Tor site. The victim is then supplied with a readme.txt file in every encrypted folder on their device with a link and unique ID to log in to a negotiation chat session with the threat actors. Here is where Black Basta leave a welcome message, the ransom amount to pay and the threat that if it isn’t paid up in seven days, the data will be leaked. There’s even been promise of a security report after the ransom is paid.

More recently, there has been the discovery of a new Black Basta ransomware variant that supports encryption of VMWare ESXi servers – this move can only aim for expanding potential targets as Black Basta continue to plough ahead.

 

Black Basta Negotiation Site

 

Black Basta: Original Or Rebrand?

Due to Black Basta’s quick amalgamation of successful victims and the perceived expertise of their negotiations, many threat researchers have suspicions on whether this ransomware gang are truly original – could they instead be a rebrand of an already experienced ransomware operation?

If this were the case, no new affiliates would be needed which would explain Black Basta’s lack of marketing surrounding recruiting new members. It would also coincide with issues that have fallen upon Conti ransomware gang, after a Ukrainian researcher leaked private conversations amidst the ransomware’s source code; it would therefore make sense that an operation like Conti would rebrand to evade law enforcement and begin afresh.

MalwareHunterTeam have expressed their opinion over the similarities between Black Basta and Conti in terms of their site design and the language of their support team, and others seem to have followed suit.

 

Black Basta Data Leak Site

 

It’s impossible to fully accurately predict the moves of ransomware gangs, despite the continuous analysis of their tactics, techniques and procedures (TTP’s). That’s why it’s important for every organisation to be aware of their cyber risk for worst case scenarios.

Black Basta is one of many detrimental ransomware gangs, and you can stay in the know with our analysis of the top 5 ransomware strains over the past year.

Share your thoughts, join our #RansomAware community and keep safe.

 
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
24x7x365 UK-based Security Operations Centre
Talion
Service underpinned by market leading threat intelligence team
Talion
Continually developed threat relevant content, backed by SLAs
Talion
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Talion
Experts in SIEM and SOAR technology
Talion
UK-based Senior Leadership
I'm ready
Request a more in-depth demo.
Discuss your cyber security needs
Fill in the form below and one of our team will be in touch to arrange your demo.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Send us a message

Give us a brief description of what you’re looking for and we’ll put you in touch with the best person.