Black Basta

Malware updated 23 days ago (2024-11-29T13:56:52.113Z)
Download STIX
Preview STIX
Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses and prolong their presence within compromised networks. Their post-exploitation activities typically involve stealing sensitive information, disrupting operations, and demanding ransoms for the return of encrypted data. The group's most notable attacks include successful infiltrations of Hyundai Motor Europe and UK water utility Southern Water. In the case of Hyundai Motor Europe, the specifics of the breach are not detailed, but it underscores Black Basta's capacity to compromise large multinational corporations. Earlier, in January, they claimed responsibility for hacking Southern Water, a major player in the UK water industry. These incidents highlight the broad range of industries that Black Basta targets, from automotive to utilities. Black Basta's evolving strategies were further highlighted when ReliaQuest researchers discovered a new social engineering technique employed by the group. They found that Black Basta affiliates switched to using Microsoft Teams, posing as IT support to deceive employees into granting access. This approach allowed them to exploit vulnerabilities like CVE-2024-26169 and CVE-2024-37085 to gain initial access to target networks. Threat intelligence firm RedSense identified Black Basta as an offshoot of the Conti ransomware group, linking it to other ransomware strains such as Akira and BlackBye.
Description last updated: 2024-10-29T20:03:01.825Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QakBot is a possible alias for Black Basta. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt ope
12
Conti is a possible alias for Black Basta. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona
9
Akira is a possible alias for Black Basta. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo
7
FIN7 is a possible alias for Black Basta. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global
7
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Malware
Exploit
Extortion
Encryption
Esxi
Encrypt
Phishing
Vulnerability
Windows
RaaS
Linux
Data Leak
Lateral Move...
Microsoft
Cobalt Strike
Botnet
Bitcoin
Payload
Exploits
Github
Tool
Screenconnect
Reconnaissance
Cybercrime
Loader
Capita
Trojan
Chrome
Rheinmetall
Healthcare
Backdoor
Macos
Spearphishing
Locker
Fraud
Zero Day
Fbi
Rapid7
Rmm
Mitre
Ddos
Ransomware P...
Spam
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Black Basta. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
6
The Qbot Malware is associated with Black Basta. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
6
The REvil Malware is associated with Black Basta. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
6
The Brute Ratel Malware is associated with Black Basta. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
5
The Hive Malware is associated with Black Basta. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagis related to
4
The Clop Malware is associated with Black Basta. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
4
The AvosLocker Malware is associated with Black Basta. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal infoUnspecified
4
The HELLOKITTY Malware is associated with Black Basta. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold datUnspecified
4
The MegaCortex Malware is associated with Black Basta. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
3
The PlugX Malware is associated with Black Basta. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
3
The Pikabot Malware is associated with Black Basta. Pikabot is a malicious software (malware) that has been used extensively by various threat groups to exploit and damage computer systems. Initially, the BlackBasta group used phishing and vishing to deliver malware types such as DarkGate and Pikabot but quickly sought alternatives for further maliciUnspecified
3
The malware Conti, Lockbit is associated with Black Basta. Unspecified
2
The Egregor Malware is associated with Black Basta. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
2
The Emotet Malware is associated with Black Basta. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The Cactus Malware is associated with Black Basta. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus is related to
2
The Systembc Malware is associated with Black Basta. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
The Netsupport Manager Malware is associated with Black Basta. NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker BehavioUnspecified
2
The Blackbasta Malware is associated with Black Basta. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnetUnspecified
2
The Darkgate Malware is associated with Black Basta. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The Karakurt Malware is associated with Black Basta. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a Unspecified
2
The Lockbit Black Malware is associated with Black Basta. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bl00dy Threat Actor is associated with Black Basta. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant iUnspecified
5
The Alphv Threat Actor is associated with Black Basta. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
5
The Kimsuky Threat Actor is associated with Black Basta. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, whichUnspecified
2
The BianLian Threat Actor is associated with Black Basta. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryis related to
2
The Blackmatter Threat Actor is associated with Black Basta. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
2
The Vice Society Threat Actor is associated with Black Basta. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Conti Ransomware Gang Threat Actor is associated with Black Basta. The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested thatUnspecified
2
The Zeon Threat Actor is associated with Black Basta. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as BUnspecified
2
The Qilin Threat Actor is associated with Black Basta. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-1709 Vulnerability is associated with Black Basta. CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid ResponseUnspecified
4
The vulnerability CVE-2024-37085 is associated with Black Basta. Unspecified
3
The Printnightmare Vulnerability is associated with Black Basta. PrintNightmare is a severe vulnerability (CVE-2021-34527) affecting the Windows Print Spooler service, allowing an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw in software design or implementation enables any authenUnspecified
2
The CVE-2024-1708 Vulnerability is associated with Black Basta. CVE-2024-1708 is a high-severity path traversal vulnerability that was discovered in ConnectWise's ScreenConnect software. This flaw, which affects versions 23.9.7 and earlier, allows a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request. ConnectWise dUnspecified
2
Source Document References
Information about the Black Basta Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
17 hours ago
Checkpoint
11 days ago
Securityaffairs
11 days ago
Securelist
21 days ago
Unit42
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
Securelist
4 months ago
DARKReading
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
InfoSecurity-magazine
4 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago