Blackbasta

Malware Profile Updated 3 days ago
Download STIX
Preview STIX
BlackBasta is a notorious malware, specifically a ransomware, that has been actively exploiting and damaging computer systems since its first appearance in April 2022. The ransomware primarily used SharpDepositorCrypter as its loader throughout most of 2022, often in conjunction with other malicious software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Additionally, BlackBasta has shown an association with Qakbot, another harmful program, dating back to the group's inception. The BlackBasta group has claimed responsibility for several high-profile cyber attacks, including those on Synlab Italia and Atlas, one of the largest national distributors of fuel in the United States. In the case of Synlab Italia, the attack occurred in April and severely impacted operations. The BlackBasta extortion group added both companies to the list of victims on its Tor leak site, publicizing their successful exploits and increasing the pressure on these organizations. In terms of its operational methods, BlackBasta uses sophisticated techniques for data exfiltration and encryption process automation. For instance, it has been known to use the Rclone tool and a PowerShell script called TotalExec, previously associated with FIN7 ransomware operators. As of May 11, 2024, the group has threatened to publish the stolen data from its various attacks, a tactic commonly used by ransomware groups to coerce their victims into paying the demanded ransom.
What's your take? (Question 1 of 5)
6947902d-e186-416d-92f8-677a8babe3de Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lockbit
7
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
Conti
5
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
QakBot
4
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
Clop
3
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
Pikabot
2
Pikabot, a harmful malware family, emerged in 2023 as a significant cyber threat. It is primarily associated with ransomware distribution, crypto mining, data theft, and remote control of infected devices. This malicious software has been distributed by TA577, a well-known threat group that had prev
Blacksuit
2
BlackSuit is a dangerous malware that has been causing significant disruption in the U.S., particularly within the healthcare sector. It is believed to be a rebranding of the Royal ransomware gang, itself a descendant of the Russian Conti gang. Notably, BlackSuit appears to be perpetrating its extor
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Esxi
Ransom
Exploit
Malware
Extortion
Cybercrime
Vulnerability
Windows
Locker
Encryption
Vmware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Royal RansomwareUnspecified
4
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
AkiraUnspecified
3
Akira is a compact C++ ransomware that has wreaked havoc across various sectors, impacting over 60 organizations globally. It is compatible with both Windows and Linux systems and is known for its minimalistic JQuery Terminal-based hidden service used for victim communication. The malware enters you
RyukUnspecified
3
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
HiveUnspecified
3
Hive is a malicious software, or malware, known for its disruptive capabilities and widespread damage. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Blackbasta RansomwareUnspecified
2
BlackBasta is a ransomware-type malware, designed to infiltrate systems undetected and hold data hostage in exchange for ransom. Originating from Russian-speaking regions, this malicious software has been linked to numerous high-profile cyber attacks. The group behind BlackBasta has demonstrated its
REvilUnspecified
2
REvil, also known as Sodinokibi, is a notorious malware that gained prominence due to its harmful impact on computer systems and data. It operates under the Ransomware as a Service (RaaS) model, which saw a significant rise in popularity throughout 2020. The malware typically infects systems via sus
Ghost ClownUnspecified
2
Ghost Clown is a malware entity that has been implicated in the deployment of malicious software, specifically ransomware strains like BlackBasta and Conti. This previously undetected ransomware group, along with another affiliate named Space Kook, were identified by anti-ransomware company Halcyon.
Black BastaUnspecified
2
Black Basta is a malicious software (malware) known for its disruptive activities in the cyber world. This Russian-speaking ransomware-as-a-service group has been operational since early 2022, with an estimated accumulation of at least $107 million in Bitcoin ransom payments. The malware primarily i
KarakurtUnspecified
2
Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggeri
CactusUnspecified
2
Cactus is a notable strain of malware that has been active since March 2023, as reported by Kroll researchers. The Cactus ransomware operation stands out for its use of encryption to protect the ransomware binary, leveraging multiple legitimate tools such as Splashtop, AnyDesk, SuperOps RMM for remo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
7
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
BianlianUnspecified
3
BianLian is a threat actor group known for its malicious activities in the cybersecurity landscape. Recently, they have been identified as exploiting bugs in JetBrains TeamCity in ransomware attacks. This highlights their ability to leverage vulnerabilities in widely used software to carry out sophi
FIN7Unspecified
2
FIN7, a well-known threat actor group, has been actively targeting large-scale industries with sophisticated cyber attacks. Notably, they have been involved in a series of phishing attacks against a major U.S. carmaker. These targeted operations reflect FIN7's persistent and evolving strategies to c
Space KookUnspecified
2
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Blackbasta Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
5 months ago
BlackBasta Ransomware Attack: Multiple Victims Listed | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
The Edwardian Hotels Cyberattack Claimed By BlackBasta
Threat Post
a year ago
Ransomware Attacks are on the Rise
Securelist
a year ago
Overview of ransomware trends in 2023
CERT-EU
a year ago
New ransomware trends in 2023 - GIXtools
CERT-EU
5 months ago
BlackBasta Claims Cyberattack On American Alarm And Communications | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
4 months ago
Yearly Intel Trend Review: The 2023 RedSense report
Securityaffairs
24 days ago
Blackbasta gang Synlab Italia attack
Securityaffairs
3 days ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
CERT-EU
a year ago
Ransomware review: April 2023
Malwarebytes
a year ago
Ransomware review: February 2023
CERT-EU
2 months ago
Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
BankInfoSecurity
2 months ago
Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them
Securityaffairs
8 days ago
Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors
InfoSecurity-magazine
10 months ago
Cloud Firm Under Scrutiny For Suspected Support of APT Operations
Securityaffairs
24 days ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Malwarebytes
5 months ago
Oops! Black Basta ransomware flubs encryption | Malwarebytes
InfoSecurity-magazine
9 months ago
Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
BankInfoSecurity
5 months ago
Microsoft Disables Abused Application Installation Protocol