Black Basta

Malware updated 13 days ago (2024-11-08T13:25:35.713Z)
Download STIX
Preview STIX
Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses and prolong their presence within compromised networks. Their post-exploitation activities typically involve stealing sensitive information, disrupting operations, and demanding ransoms for the return of encrypted data. The group's most notable attacks include successful infiltrations of Hyundai Motor Europe and UK water utility Southern Water. In the case of Hyundai Motor Europe, the specifics of the breach are not detailed, but it underscores Black Basta's capacity to compromise large multinational corporations. Earlier, in January, they claimed responsibility for hacking Southern Water, a major player in the UK water industry. These incidents highlight the broad range of industries that Black Basta targets, from automotive to utilities. Black Basta's evolving strategies were further highlighted when ReliaQuest researchers discovered a new social engineering technique employed by the group. They found that Black Basta affiliates switched to using Microsoft Teams, posing as IT support to deceive employees into granting access. This approach allowed them to exploit vulnerabilities like CVE-2024-26169 and CVE-2024-37085 to gain initial access to target networks. Threat intelligence firm RedSense identified Black Basta as an offshoot of the Conti ransomware group, linking it to other ransomware strains such as Akira and BlackBye.
Description last updated: 2024-10-29T20:03:01.825Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QakBot is a possible alias for Black Basta. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d
12
Conti is a possible alias for Black Basta. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra
9
FIN7 is a possible alias for Black Basta. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global
7
Akira is a possible alias for Black Basta. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo
6
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Extortion
Exploit
Malware
Encryption
Encrypt
Phishing
Vulnerability
Windows
RaaS
Linux
Esxi
Data Leak
Lateral Move...
Microsoft
Botnet
Cobalt Strike
Bitcoin
Cybercrime
Tool
Exploits
Capita
Payload
Github
Trojan
Loader
Screenconnect
Reconnaissance
Chrome
Rheinmetall
Healthcare
Macos
Spearphishing
Locker
Fraud
Zero Day
Fbi
Rapid7
Rmm
Mitre
Ddos
Ransomware P...
Spam
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Qbot Malware is associated with Black Basta. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
6
The REvil Malware is associated with Black Basta. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
6
The Lockbit Malware is associated with Black Basta. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
6
The Brute Ratel Malware is associated with Black Basta. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
5
The AvosLocker Malware is associated with Black Basta. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal infoUnspecified
4
The Clop Malware is associated with Black Basta. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
4
The Hive Malware is associated with Black Basta. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagis related to
4
The HELLOKITTY Malware is associated with Black Basta. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold datUnspecified
4
The PlugX Malware is associated with Black Basta. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
3
The MegaCortex Malware is associated with Black Basta. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industriaUnspecified
3
The Pikabot Malware is associated with Black Basta. Pikabot is a type of malware that serves as a trojan, providing initial access to infected computers. This enables the execution of ransomware deployments, remote takeovers, and data theft. It is part of a wider array of malicious software, including IcedID, Qakbot, Gozi, DarkGate, AsyncRAT, JinxLoaUnspecified
3
The malware Conti, Lockbit is associated with Black Basta. Unspecified
2
The Egregor Malware is associated with Black Basta. Egregor is a malicious software variant of the Sekhmet ransomware that operates on a Ransomware-as-a-Service (RaaS) model. It is speculated to be associated with former Maze affiliates, and is notorious for its double extortion tactics, which involve not only encrypting the victim's data but also puUnspecified
2
The Emotet Malware is associated with Black Basta. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The Cactus Malware is associated with Black Basta. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus is related to
2
The Systembc Malware is associated with Black Basta. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
The Netsupport Manager Malware is associated with Black Basta. NetSupport Manager is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware has been detected by InsightIDR Attacker BehavioUnspecified
2
The Blackbasta Malware is associated with Black Basta. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
2
The Darkgate Malware is associated with Black Basta. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The Karakurt Malware is associated with Black Basta. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a Unspecified
2
The Lockbit Black Malware is associated with Black Basta. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bl00dy Threat Actor is associated with Black Basta. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant iUnspecified
5
The Alphv Threat Actor is associated with Black Basta. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
5
The Kimsuky Threat Actor is associated with Black Basta. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activitUnspecified
2
The Bianlian Threat Actor is associated with Black Basta. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breacheis related to
2
The Blackmatter Threat Actor is associated with Black Basta. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
2
The Vice Society Threat Actor is associated with Black Basta. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
2
The Conti Ransomware Gang Threat Actor is associated with Black Basta. The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested thatUnspecified
2
The Zeon Threat Actor is associated with Black Basta. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as BUnspecified
2
The Qilin Threat Actor is associated with Black Basta. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-1709 Vulnerability is associated with Black Basta. CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid ResponseUnspecified
4
The Printnightmare Vulnerability is associated with Black Basta. PrintNightmare is a severe vulnerability (CVE-2021-34527) affecting the Windows Print Spooler service, allowing an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw in software design or implementation enables any authenUnspecified
2
The vulnerability CVE-2024-37085 is associated with Black Basta. Unspecified
2
The CVE-2024-1708 Vulnerability is associated with Black Basta. CVE-2024-1708 is a high-severity path traversal vulnerability that was discovered in ConnectWise's ScreenConnect software. This flaw, which affects versions 23.9.7 and earlier, allows a remote privileged user to read arbitrary files on the system using a specially crafted HTTP request. ConnectWise dUnspecified
2
Source Document References
Information about the Black Basta Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
19 days ago
Securityaffairs
23 days ago
Securityaffairs
23 days ago
Securityaffairs
a month ago
Securityaffairs
2 months ago
InfoSecurity-magazine
2 months ago
Securelist
3 months ago
DARKReading
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
InfoSecurity-magazine
3 months ago
Checkpoint
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
CERT-EU
a year ago