Skip to content

Hide Navigation Hide TOC

Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53)

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Black Basta - S1070 (8d242fb4-9033-4f13-8a88-4b9b4bcd9a53) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2