Black Basta Ransomware

12539040659?profile=RESIZE_400xUS Cyber authorities are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure  sectors, including the Healthcare and Public Health (HPH) Sector.  This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting.

Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022.  Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500  organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data.  Ransom notes do not generally include an initial ransom demand or payment instructions.


·        Install updates for operating systems, software, and firmware as soon as they are released.

·        Require phishing-resistant MFA for as many services as possible.

·        Train users to recognize and report phishing attempts.

Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser).  Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.  The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks.  Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

Link to full report:  aa24-131a-joint-csa-stopransomware-black-basta_0.pdf

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and thinks highly of Recorded Future.  Red Sky agrees with providing as much intelligence to an analyst as possible and believes our data sets and services can help augment what RF is providing.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!