3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Black Basta

Black Basta

ID: be2d92671123880549ac2c1b86e4baa179236
Crimeware Ransomware
Threat types: Ransomware, RaaS, Data Theft, Extortion
Russia
Updated: 2026-03-14
Created: 2025-10-24
Progress: 73% Completeness: 74% Freshness: 70%
Operation zone:
Aliases Limited alias preview
BlackBasta
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Black Basta is a ransomware-as-a-service (RaaS) ecosystem described in public reporting as using social engineering (including Teams/vishing and remote assistance abuse), legitimate remote management tooling, credential theft, hands-on-keyboard activity, data theft for extortion, and ransomware encryption for impact. Affiliates’ methods evolve; treat infrastructure indicators as time-bounded and emphasize behavior-first detection.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2024-05-15 — Social engineering and vishing are described as leading to tool delivery and ransomware deployment in Storm-1811 activity associated with Black Basta. · ref
  • 2025-01-21 — Email bombing + Teams vishing chains are described as an initial access method in incidents tied to ransomware outcomes. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-05-10 — Joint CSA describes use of valid accounts and credential abuse across the intrusion lifecycle (high-level). · ref
T1059.001 PowerShell TA0002
  • 2024-05-15 — Hands-on-keyboard activity includes execution of scripts and commands after remote-control access is obtained. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-03-03 — Attack chain includes distribution of malicious files via cloud storage and transfer of tooling post-compromise. · ref
T1036 Masquerading TA0005
  • 2025-03-03 — Abuse of legitimate binaries and DLL side-loading is described to blend into normal workflows and maintain access. · ref
T1543.003 Windows Service TA0003 TA0004
  • 2024-05-10 — Joint CSA describes persistence mechanisms consistent with Windows services (high-level) used by affiliates. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • 2024-05-10 — INFERENCE (confidence: medium): joint CSA discusses persistence and execution patterns commonly implemented via scheduled tasks in ransomware intrusions. · ref
T1003 OS Credential Dumping TA0006
  • 2024-05-15 — Microsoft reporting describes credential theft following remote-control social engineering (including proxy phishing tooling). · ref
T1087 Account Discovery TA0007
  • 2024-05-10 — Joint CSA includes discovery activity that aligns with account discovery during intrusions (high-level). · ref
T1046 Network Service Discovery TA0007
  • 2024-05-10 — Joint CSA includes network discovery and reconnaissance behaviors used to expand access (high-level). · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2025-01-21 — Sophos describes use of RDP and WinRM for accessing other computers during the intrusion chain in cases overlapping Black Basta tactics. · ref
T1047 Windows Management Instrumentation TA0002
  • 2024-05-10 — INFERENCE (confidence: low): ransomware affiliate playbooks often include WMI-based execution; joint CSA’s remote execution discussion supports this as a plausible method. · ref
T1560 Archive Collected Data TA0009
  • 2024-05-10 — Joint CSA describes data theft / staging consistent with archiving collected data prior to exfiltration (high-level). · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-03-03 — Trend Micro describes exfiltration-related tooling usage (e.g., WinSCP) and persistent control channels used to support data theft. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-05-10 — Joint CSA focuses on ransomware deployment and encryption for impact. · ref
T1490 Inhibit System Recovery TA0040
  • 2024-05-10 — Joint CSA describes inhibiting system recovery behaviors typical of ransomware operations (e.g., disabling backups / recovery). · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T04:04:52+00:00

Black Basta

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Ransomware / RaaS (crimeware ecosystem)

Author: 3C-INT Analyst



Executive Summary

Black Basta is a Russian-speaking ransomware operation that emerged publicly in 2022 and has been widely reported as connected to the broader post-Conti crimeware ecosystem. Public reporting indicates the group operated a double-extortion model (data theft plus encryption) and relied on a multi-party ecosystem of initial access, tooling, hosting, and financial infrastructure.

In February–March 2025, large volumes of internal chat logs from a Matrix server were leaked publicly, providing visibility into operational tradecraft and third-party dependencies. Multiple analyses argue that the leak and upstream disruptions to access channels (e.g., QakBot-related disruption in 2023) contributed to fragmentation and affiliate migration rather than a clean “shutdown”.

  • Operating model: RaaS-style ecosystem (operators + affiliates / brokers). INFERENCE (confidence: high): The group’s pace, victim selection, and tooling mix align with a structured ransomware enterprise rather than a single small crew.
  • Language / origin signals: Public reporting consistently describes the core as Russian-speaking and connected to the post-Conti/Ryuk ecosystem.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Black Basta

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Black Basta


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T04:10:05+00:00

IOC Appendix — Black Basta

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T04:08:44+00:00

OSINT Library — Black Basta


2026-02-02 — Barracuda Networks Blog — “Lessons from Black Basta’s collapse”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/17
Address Verification SOCMINT
onlylegalstuff6.top Restricted Not integrated
thesiliconroad1.top Restricted Not integrated
stuffstevenpeters4.top Restricted Not integrated
greenmotors5.top Restricted Not integrated
megatron3.top Restricted Not integrated
databasebb3.top Restricted Not integrated
Address Verification SOCMINT
stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion Restricted Not integrated
bpeln2aqs66qqfuex2cvcyjiy5ggcwbyh5nbmxzxt6daamkmpmufv4qd.onion Restricted Not integrated
6y2qjrzzt4inluxzygdfxccym5qjy2ltyae7vnxtoyeotfg3ljwqtaid.onion Restricted Not integrated
r6qkk55wxvy2ziy47oyhptesucwdqqaip23uxregdgquq5oxxlpeecad.onion Restricted Not integrated
weqv4fxkacebqrjd3lmnss6lrmoxoyihtcc6kdc6mblbv62p5q6skgid.onion Restricted Not integrated
fmzipzpirdpfelbbvnfhoehqxbqg7s7efmgce6hpr5xdcmeazdmic2id.onion Restricted Not integrated
daulpxe3epdysjozaujz4sj7rytanp4suvdnebxkwdfcuzwxlslebvyd.onion Restricted Not integrated
l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion Restricted Not integrated
bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion Restricted Not integrated
aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion Restricted Not integrated
ond5arqab77n6tykvi4aqp7oqegqdfgqfyf7fzyhfyhmbp7iafpzdtad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.