Key Takeaways
What is Black Basta?
Black Basta ransomware has been on PolySwarm’s radar since it was first reported in 2022. We featured Black Basta as a malware family to watch in 2023 and again in our 2023 Recap - Malware Hall of Fame. Although industry researchers discovered Black Basta in April 2022, based on compile dates, the ransomware may have been active as early as February 2022.
Both Windows and Linux variants of this ransomware as a service (RaaS) exist. Written in C++, BlackBasta’s encryption scheme uses ChaCha20 and RSA-4096. To make the encryption process more efficient, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted parts. Black Basta typically uses a double extortion model, launching a ransomware attack and stealing sensitive data from a victim, threatening to sell or release it if the victim does not pay the ransom.
Early on, the group relied on botnets to deliver malware at scale. Despite a law enforcement-led disruption of QBot in mid-2023, Black Basta has continued to gain momentum, later switching to using DarkGate botnet. Black Basta also began to communicate with other post-Conti groups in early 2024 and began using a “third party dissemination specialist” used by multiple financially driven threat actor groups.
In recent months, Black Basta has begun using tactics that are reminiscent of nation-state threat actor tactics and has shifted from opportunistic targeting to more refined, strategic targeting. In May, they began masquerading as a fictional cyber security company in an attempt to social engineer victims. The threat actors would attempt to convince the would-be victims that they had been the victim of a cybersecurity incident and to install remote access software as a part of remediation. In September, Black Basta began using Microsoft Teams and targeted a UK defense contractor.
IOCs
PolySwarm has multiple samples of Black Basta. IOCs of some of our most recently acquired Black Basta samples are found below. We are also currently featuring Black Basta in Emerging Threats on our portal.
1c5911847497cb485c97b7ed79ab4ecbbb319f0f1e792d1539f61f0ae7d299db
7be927ae6ff38b27efa49466ffc69f00fc354fb5b2795c9c8a6203f934bc7f61
A20dba4c42b9f847f8bae731eed955b1b9a9141510a790c90e6e3f77578efea5
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
38a5659c98ca7353b656e3542ec336a1e7ecab71febd35491344aca304275a0e
Ebbd88b3ba1b0750cd8f0326dbabd94ed97cccd83baed2121e6ceaefa7f7eb1b
C61a3b75e95ea37acb0d7653126ce080c807caf182c5002d2a2185e87f533dd6
645a18f737bd6d810a48c4a47ace62c196eb1ef285f8ca9bea6218b312fff16e
2bd509669c694baeb1234cc20b362e3b9a5d7619e200d949a0c9fd425e206ef3
You can use the following CLI command to search for all Black Basta samples in our portal:
$ polyswarm link list -f BlackBasta
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.