✅ Report Title:
Quick Overview of Black Basta
✅ Executive Summary:
- The Black Basta ransomware was first developed in early February 2022 under the name "no_name_software," using the .encrypted extension.
- Later, in the second week of April 2022, it carried out its first attack under the name Black Basta. It gained attention after being known to have attacked Deutsche Windtechnik, a wind power plant operator in Germany.
- The United States has been the most affected country by Black Basta ransomware, with the construction and manufacturing industries being its primary targets.
📌 What are the key features?
- According to a tweet by MalwareHunterTeam, a specialized team in analyzing malicious software, the negotiation style with victims and the design of the leak site are highly similar to those of Conti.
- A user named Black Basta is active on XSS and Exploit.in.
- (April 20, 2022): Black Basta was found attempting to purchase network access accounts of companies located in the United States, Canada, the United Kingdom, Australia, and New Zealand on Exploit.in.
- According to a report by SentinelOne, Black Basta ransomware operators are linked to FIN7.
- Sophos noted that the tactics, techniques, and procedures (TTPs) of Black Basta, Hive, and Royal ransomware are similar, suggesting that these groups either share an attack playbook or have common affiliates.
- All three groups create backdoor accounts using the same username and password to gain control over systems.
- All three groups create .7z files named after the victim company to distribute the final payload to target systems.
- All three groups use the same batch scripts and files to execute commands and infect target systems.
- According to Mandiant, Black Basta affiliates have been classified into UNC4393, which constitutes the majority of activity clusters, and UNC3973, which exhibits unique TTPs.
- Microsoft reported that the Storm-0566 group, which distributes Black Basta ransomware, exploited the CVE-2024-37085 vulnerability.
- Prodaft revealed that on February 11, 2025, an internal member leaked chat logs because Black Basta targeted a Russian bank, and key members later moved to the Cactus group.
- It was discovered that a user named Tramp (LARVA-18), who operates large-scale spam campaigns for distributing the QBot malware, was leading these activities.
📌 What were the recent issues?
(2025-02-21) A leak of Black Basta’s internal chat logs occurred.
The logs were leaked through the Telegram channel @ExploitWhisper and contain approximately one year’s worth of chat records from the Black Basta ransomware group's Matrix chat, spanning from September 18, 2023, to September 28, 2024.
Key Details:
- Most conversations were conducted in Russian, and activities were aligned with UTC+3 (Moscow time), suggesting that Black Basta's members are primarily Russian.
- Black Basta has a history of attacking foreign branches of domestic companies, leaking database records. The chat logs include discussions mentioning VPNs, internal network access IPs, and credentials of Korean companies.
- The group actively engages in phishing and social engineering attacks, such as sharing address books of employees at target companies and impersonating IT department staff.
- A member suspected to be the main administrator of Black Basta uses the username @usernamegg. Among the seven home servers the group operates via Matrix Messenger, the most active is matrix.bestflowers247.online, where most attacks are coordinated.
- (2024-09-24): @usernamegg changed their nickname to @usergg and announced a migration to a new communication platform, suggesting that Black Basta may no longer be using Matrix and has moved to a different platform.
- A total of 176 cryptocurrency wallet addresses were identified in the leaked chat logs.
- These 176 wallet addresses are new and have not been previously associated with other ransomware groups, indicating that Black Basta operates independently from other ransomware entities.
- Rewards for various tasks were distributed among multiple users, with @usernamegg acting as the primary funder for required operations.
- Black Basta members, including @usernamegg, use multiple cryptocurrencies such as Bitcoin, Monero, Ethereum, and Tether, typically receiving payments per completed operation.
- The group primarily exploits vulnerabilities that allow arbitrary command execution to deploy ransomware.
- They have shown a strong interest in network and VPN device vulnerabilities, including:
- CVE-2024-3400 (Palo Alto Networks product vulnerability)
- CVE-2024-21762 (Fortinet product vulnerability)
- Additionally, they exploit enterprise software vulnerabilities, such as:
- CVE-2023-22515 (Atlassian vulnerability)
- CVE-2024-21413, a recently disclosed Outlook vulnerability (February 2024)
Regardless of when these vulnerabilities were publicly disclosed, Black Basta continues to exploit them, emphasizing the need for organizations to apply the latest security patches.
- The group appears to use additional tools to escalate privileges and exfiltrate more data after executing arbitrary commands.
- They have considered using open-source rootkits such as "Nidhogg" to hide ransomware processes.
- They use Mimikatz to extract passwords and deploy "EventLog Crasher" to interfere with forensic investigations.
✅ Recommended Threat Detection and Mitigation Actions:
Please refer to the link below for more detailed analysis and response measures.
🧑💻 Report Author: S2W TALON (Updated. 2025-02-24)
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request and for QUAXAR subscribers.