Appearing in early 2022, the Black Basta ransomware variant and its actors quickly became a list item on government agency watchlists around the world.
By November of 2023, the syndicate had already claimed over 329 victims, raking in over $107 million in ransom payments. Blockchain analysis has traced the majority of the proceeds to Garantex, a sanctioned Russian cryptocurrency exchange.
According to the latest CISA advisory, as of May of 2024, Black Basta’s ledger of victims had ballooned to include more than 500 organizations across North America, Europe, and Australia. Out of the sixteen critical infrastructure sectors, only two have managed to evade the reach of the ransomware strain.
However, due to a series of setbacks, Black Basta’s reign has recently come to an end. Operation Duck Hunt, a multinational law enforcement effort severely hindered the group by removing the QakBot botnet from its arsenal. A trove of chat logs, allegedly belonging to the group, was also leaked online. The correspondence exposed the group’s key members and shed light on their tactics. This has led security researchers to believe that Black Basta is a descendant of the notorious Conti ransomware gang, another prolific Russian-based group.
It appears that the cybergang’s heyday has come and gone. Black Basta’s activities significantly declined after December 2024 due to internal conflicts revealed in the leaked chats.
Although the group may have vanished from view, researchers believe its members continue to operate in the shadows. Only time will tell if Black Basta will make a resurgence, or if those involved will regroup underneath a new banner.
What is Ransomware?
Ransomware is a type of malware that renders infected devices or their data inaccessible by encrypting files using cryptographic algorithms. Once encrypted, the data can only be restored to its original state with a corresponding decryption key, which is held by the attacker.
In this hostage state, victims of ransomware only regain access after a ransom payment is made, or the specific demands of the attacker are met.
Since the impact of ransomware can often be mitigated by maintaining reliable data backups, attackers typically escalate severity by threatening to leak stolen data or use it to target the victim’s customers or business partners. Either way, the data will be monetized after a breach.
Notably, attackers have been known to continue to deny access or make do on these additional threats, even after their terms are met.
Ransomware is distributed through a variety of means including:
- Social engineering attacks: Victims are tricked into downloading and executing ransomware under false pretenses.
- Exploitation of coding flaws: Vulnerabilities in operating systems or application software are exploited to inject ransomware into the underlying code.
- Credential theft: Stolen or brute-forced credentials allow attackers to access devices or networks and deploy ransomware directly.
- Other malware: Ransomware is sometimes bundled with other malicious software, like trojans or remote access tools, that first compromise the system and then deliver the ransomware payload.
When selecting targets, cybercriminals will often collaborate, exchanging or selling access to compromised systems. Those that operate within this niche are known as “initial access brokers”. This ecosystem significantly lowers the barrier for launching ransomware attacks and increases their frequency and effectiveness.
Ransomware as a Service: Pay to Play
In the modern digital underground, the ability to execute ransomware attacks is accessible to anyone willing to pay the price.
Ransomware-as-a-Service (RaaS) is a business model in which developers, known as “RaaS operators” or “RaaS groups”, provide the ransomware, code maintenance, and infrastructure required to carry out attacks. These components are packaged into RaaS kits that are sold to other cybercriminals, referred to as “RaaS affiliates”.
RaaS kits are sold under a variety of payment options:
- A one-time fee can be paid to purchase the kit outright.
- Certain operators offer monthly subscription options.
- Monthly subscription fees can come at a discounted rate if the affiliate agrees to share a small percentage of any ransom proceeds.
- Some operators will offer their kits free of charge, in exchange for a higher percentage of collected ransom payments.
In addition to the kit and decryption keys, more sophisticated operators will even provide extra services and features such as:
- Technical support channels.
- Private forums for affiliates.
- Payment processing portals to collect ransoms.
- Custom ransom note or negotiation tools.
Due to this level of professionalism, rivaling what is seen in legitimate software companies, RaaS has become a major enabler of cybercrime. Now, even individuals with minimal expertise can launch ransomware attacks.
Black Basta’s Ranking Members
The leaked chat logs point to the online aliases “YY”, “Lapa”, “Cortes”, and “Trump” as being the key operators of the cybergang. It is believed that “Trump” is an alias used by Oleg Nefedov, a previous member of Conti and the purported leader of Black Basta.
On June 21, 2024, Nefedov was arrested in Armenia. However, suspicious scheduling around his hearing in court led to him escaping justice and has not been found since. Claims made by Nefedov himself in the leaked chat logs suggest that Russian government officials enabled his escape, stating he had received help from “very high-level” friends to pass through a “green corridor.”
Because of the group’s success, affiliates of the Black Basta RaaS are presumed to be a small set of other technically adept individuals that have trusting relationships with the aforementioned operators.
Gaining Initial Access
To gain initial access into a target system, Black Basta was known to use a variety of techniques.
CVE-2024-1709
Certain versions of ConnectWise ScreenConnect were found to possess an authentication bypass vulnerability.
ScreenConnect serves a web application built with the ASP.NET framework that allows users to access and control the devices it’s installed on remotely using a web browser. The vulnerability stems from a path issue in the SetupModule of ScreenConnect.Web.dll, specifically in how the onPostMapRequestHandler function incorrectly implements the .NET HttpRequest.Path property.
Due to how the ASP.NET framework handles URL paths, appending an additional path segment would bypass the implemented security check for requests made to the /SetupWizard.aspx endpoint. This meant that requesting a path like /SetupWizard.aspx/anything would still invoke the handler responsible for launching the setup wizard. Creating a new administrative user account would overwrite any previous accounts.
This vulnerability, assigned to the Common Vulnerabilities and Exposures ID of CVE-2024-1709, was exploited by Black Basta and other ransomware groups to gain initial access to remote machines to exfiltrate data and execute their malicious payload.
Spear phishing/Social Engineering
Black Basta members primarily used spear phishing campaigns to gain a foothold into target systems. In contrast to the “spray-and-pray” phishing campaigns that distribute emails and test messages on a mass scale, spear phishing focuses on a sole individual or organization. Attackers conduct in-depth research into their target to uncover recent events, relationships, and interests relevant to them. Armed with this background information, the false pretenses of spear phishing correspondence appear convincing and legitimate, which increases the chances of the target engaging with the con.
The group also utilized ChatGPT and other AI tools for composing fraudulent formal letters in English, paraphrasing text, and rewriting malware code.
Black Basta would also force circumstances onto targets to carry out social engineering attacks. Affiliates would bombard targets with large columns of spam emails, then followed up posing as technical support representatives offering to fix the issue. Under this guise, the attackers guided victims through the installation of legitimate remote access tools, including ScreenConnect, giving them persistent control over the device.
QakBot
Additionally, Black Basta was heavily reliant on the QakBot malware and botnet. Originally designed as a banking trojan used to steal financial data, the QakBot malware has since evolved into a highly sophisticated, modular toolkit with a suite of capabilities. Notably, after providing the initial means of infection, QakBot could carry additional malware with it. It is through this mechanism that the Black Basta ransomware strain took devices hostage.
As soon as a device was infected with QakBot, it would connect to the QakBot botnet, joining a vast network of other compromised systems under the control of malicious hackers. During its dismantling in Operation Duck Hunt (August 2023), the FBI identified over 700,000 computers across the globe were nodes in the botnet. To fix the infected hosts, the botnet’s traffic was redirected through FBI controlled servers which instructed them to download a file created by law enforcement that uninstalled the malware. This mass cleansing was a major disruption to Black Basta’s operations.
With the Door Unlocked…
Once initial access to a device was established, Black Basta would conduct reconnaissance using utilities with innocuous file names mimicking technology companies to evade detection, a technique known as “masquerading”.
They would also use Powershell script and tools such as Backstab to disable security programs such as anti-malware products and endpoint detection and response programs.
Black Basta would then use scanning tools such as SoftPerfect to gather intelligence about the breached environment.
These tools help attackers gather intelligence about the breached environment, allowing them to identify connected devices, the services they offer, and any shared resources or open network shares.
Each service on a device is accessible through a virtual port, which represents a specific communication endpoint. Scanning tools probe these ports to determine the availability of services and extract their metadata, a process known as “banner grabbing”. This metadata includes information such as the service’s name and version number. With this information, attackers are then able to correlate software with known vulnerabilities, giving the threat actors more opportunities for exploitation.
By compiling this information, attackers effectively map the network, identifying high-value assets such as domain controllers, databases, file servers, and workstations with elevated permissions. This overview enables attackers to strategically plan their next steps, in order to pivot to other interconnected devices, gain access to additional resources, or establish persistence.
To acquire credentials, Black Basta would use Mimikatz, a credential scraping tool that extracts plaintext passwords, hashes, PINs, and Kerberos tickets from their storage in memory on Windows systems.
Once valid credentials were acquired, Black Basta was known to have utilized a variety of legitimate administrative tools, open-source offensive tools, and offensive frameworks to establish persistent connections with other network targets:
- BITSAdmin: A built-in Windows command-line tool that is used to download/upload files and monitor their progress.
- PsExec: A tool from Microsoft’s Sysinternals suite that allows for remote command execution.
- Remote Desktop Protocol: Provides a graphical user interface for remote desktop access.
- Splashtop: Another remote desktop access application.
- Cobalt Strike: A commercial-grade penetration testing tool used by security professionals but often abused by threat actors.
In cases where legitimate tooling was used, connections were more likely to go unnoticed, as the traffic appeared legitimate.
After gaining a foothold into additional devices, Black Basta was witnessed exploiting numerous vulnerabilities in order to gain further system access, a process referred to as a privilege escalation attack. The goal of these attacks is to further the access into a given system by assuming an administrator or system level role.
CVE-2020-1472
Exploitation of the vulnerability CVE-2020-1472, nicknamed Zerologon, was accomplished by performing a brute-force attack against the Netlogon Remote Protocol authentication method.
Due to a cryptographic failure in the AES-CFB8 encryption scheme, attackers could successfully bypass authentication in 1 out of every 256 attempts and reset an account password to a blank string.
CVE-2021-34527
Another vulnerability exploited was CVE-2021-34527, known as PrintNightmare, that existed in the Windows Print Spooler service, which manages print jobs.
This was initially recognized as a local privilege escalation vulnerability and assigned to CVE-2021-1675. However, the security updates were discovered to be ineffective as the vulnerability could still be exploited to achieve remote code execution with SYSTEM-level privileges.
CVE-2021-42278
CVE-2021-42278 was also abused to obtain administrator privileges. Known as the NoPac vulnerability, this flaw allowed attackers to impersonate a domain controller by spoofing its sAMAccountname, which is a unique account identifier used in Active Directory.
Black Basta Extortion
With financial motive, Black Basta employed the double-extortion model, in which systems were both encrypted and the data they held was exfiltrated.
Tools such as WinSCP, a file transfer service, were used to send data from the breached network back to Black Basta.
If the ransom payment was not received in the allotted time frame, the exfiltrated data would be posted to the group’s Tor site, Batsta News at stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd[.]onion.
Conclusion
Although Black Basta has left the spotlight, the sophistication and operational expertise demonstrated in their attacks suggest that the individuals behind the ransomware are unlikely to vanish entirely. Instead, they may rebrand, collaborate with other threat actors, or evolve their tactics to stay relevant. They may even still be carrying out attacks today, though at a significantly reduced scale—with only 8 confirmed victims recorded in early 2025 compared to 165 in 2022.
The interconnected and resilient nature of the cybercriminal underground makes it difficult to permanently dismantle such groups.
History has shown that the RaaS market is cyclical. Groups emerge, gain notoriety, disappear under pressure, and often reappear in new forms.
This cycle is fueled by factors such as profit incentives, technological innovation, the relatively low barrier to entry, and the thrill of success. As one operation fades, another often rises to fill the void, perpetuating the threat landscape. The threat is never-ending and it is important to draw lessons from previous attacks in order to understand how future ones may unfold.
