Safeguard.sh
Ransomware

Black Basta Ransomware: Techniques and Tactics in 2024

Black Basta evolved from a Conti offshoot into one of the most technically advanced ransomware operations, using novel initial access methods and sophisticated evasion techniques.

Shadab Khan
Threat Intelligence Analyst
7 min read

Black Basta emerged in April 2022, and within two years it had become one of the most active and technically innovative ransomware operations in the ecosystem. By early 2024, the group had compromised over 500 organizations across at least 12 countries, collecting an estimated $100 million in ransom payments. Spawned from the Conti diaspora, Black Basta combined Conti's operational maturity with a willingness to innovate on initial access techniques that kept defenders constantly adapting.

The group's 2024 operations showed particular evolution in social engineering, EDR evasion, and supply chain exploitation — techniques that reflected a maturing operation learning from the broader ransomware ecosystem's successes and failures.

Conti DNA

Black Basta's Conti lineage was established through multiple lines of evidence:

  • Code analysis showed significant overlap between Black Basta's ransomware payload and Conti's leaked source code
  • Blockchain analysis connected Black Basta cryptocurrency wallets to addresses previously associated with Conti
  • Operational patterns — including target selection, negotiation tactics, and infrastructure management — closely mirrored Conti's documented methodologies from the leaked playbooks
  • Several Black Basta operators were identified in communications previously associated with Conti's internal chat logs

The group carried forward Conti's professionalism and organizational structure while building a distinct brand and infrastructure.

2024 Technical Innovations

QR Code Phishing

In late 2023 and into 2024, Black Basta introduced QR code-based phishing as an initial access vector. The technique was clever in its simplicity:

  1. Attackers sent employees emails containing QR codes, often disguised as MFA enrollment or IT infrastructure notifications
  2. When scanned with mobile phones, the QR codes directed users to credential harvesting pages
  3. Because QR codes bypassed email link scanning tools (the malicious URL was embedded in an image, not a clickable link), traditional email security gateways didn't flag them
  4. Harvested credentials provided initial network access

Microsoft Teams Social Engineering

Black Basta adapted Scattered Spider's social engineering playbook for their own operations:

  • Operators contacted employees via Microsoft Teams, posing as IT support staff
  • They used legitimate-seeming display names and profile pictures
  • Conversations directed employees to install remote management tools (AnyDesk, Quick Assist) or visit credential harvesting sites
  • The Teams-based approach bypassed email security controls entirely

Help Desk Bombardment

A particularly effective technique involved overwhelming target employees with spam emails — sometimes thousands in a few hours — then calling or messaging the employee while posing as IT support offering to fix the "email problem." The overwhelmed employee was then guided through installing remote access tools that gave the attackers persistent access.

Post-Exploitation Arsenal

Once inside a network, Black Basta's operations were methodical and fast:

Credential Access

  • Mimikatz: Standard credential harvesting from LSASS memory
  • SharpHound/BloodHound: Active Directory enumeration and privilege escalation path identification
  • Credential dumping from domain controllers: Targeting ntds.dit and SYSTEM registry hives for offline cracking

Lateral Movement

  • Impacket: PsExec, WMIExec, and SMBExec modules for remote execution
  • Cobalt Strike: Beacon deployment for command and control across the network
  • RDP: Using harvested credentials for interactive access to sensitive systems

Defense Evasion

Black Basta invested significantly in EDR evasion:

  • Custom tools: Proprietary utilities designed to disable or blind specific EDR products
  • Bring Your Own Vulnerable Driver (BYOVD): Loading legitimate but vulnerable signed drivers to gain kernel-level access, then using that access to disable security tools
  • Safe Mode abuse: Rebooting systems into Safe Mode (where many security tools don't run) before deploying ransomware
  • Timestomping and log clearing: Modifying file timestamps and clearing Windows event logs to complicate forensic analysis

Data Exfiltration

Before encryption, Black Basta exfiltrated data for double extortion:

  • rclone: Configured to sync stolen data to attacker-controlled cloud storage
  • Custom exfiltration tools: Purpose-built utilities for compressing and transferring large data sets
  • WinSCP and FileZilla: Standard file transfer tools that blend with legitimate network activity

The Ransomware Payload

Black Basta's payload evolved through several versions:

Windows: Written in C++, using ChaCha20 for file encryption. The payload supported intermittent encryption for speed and could target both local and network volumes. Ransom notes were dropped as readme.txt files, and the desktop wallpaper was changed to display contact instructions.

Linux/ESXi: A dedicated variant targeting VMware ESXi environments, capable of encrypting virtual machine disk files. This variant was critical for organizations running virtualized infrastructure.

The group's encryption scheme was eventually found to have implementation flaws. In January 2024, researchers at SRLabs published a decryption tool for certain Black Basta encrypted files, exploiting a weakness in the ChaCha20 keystream implementation. Black Basta quickly patched the flaw in subsequent versions.

Victim Profile and Impact

Black Basta's targeting was broad but showed preferences:

  • Manufacturing: The most frequently targeted sector, likely due to operational urgency driving willingness to pay
  • Construction: Companies with active projects facing costly delays from encrypted systems
  • Professional services: Law firms and consulting companies with sensitive client data
  • Healthcare: Despite public claims of avoiding healthcare, several healthcare organizations were hit
  • Technology: IT companies whose compromise could cascade to their client bases

The group's leak site, hosted on Tor, published stolen data from non-paying victims and served as a pressure mechanism during negotiations. The volume of postings — averaging several new victims per week throughout 2024 — reflected the operation's industrial scale.

Internal Leaks (2025)

In February 2025, an internal leak of Black Basta's chat logs — mirroring the Conti leaks from 2022 — provided additional insight into the group's operations. The leaked communications revealed:

  • Internal disagreements about targeting and operational security
  • Details about the group's organizational structure and financial operations
  • Relationships with initial access brokers and other criminal groups
  • Technical discussions about tool development and evasion techniques

The leak suggested internal fracturing, and Black Basta's operational tempo declined significantly following the exposure.

The Supply Chain Angle

Black Basta's operations highlighted several supply chain risks:

IT management tool abuse: The group's use of legitimate remote management tools (AnyDesk, ConnectWise, Quick Assist) as both initial access and persistence mechanisms turned the IT management supply chain against organizations.

EDR supply chain trust: The BYOVD technique exploited the trust model of Windows driver signing. Organizations trust that signed drivers are safe — Black Basta exploited that trust to disable the very security tools that were supposed to protect them.

Vendor access as attack path: Multiple Black Basta incidents traced back to compromised vendor or contractor accounts, demonstrating that third-party access remains a consistent initial access vector.

How Safeguard.sh Helps

Black Basta's evolution through 2024 demonstrated that ransomware groups continuously adapt their techniques, making static defense insufficient. The group's exploitation of software supply chain trust — from driver signing to remote management tools to vendor access — requires continuous monitoring of your technology stack.

Safeguard.sh provides that continuous monitoring through automated SBOM management and real-time vulnerability tracking. The platform identifies the components in your supply chain that attackers target — from the management tools running on your endpoints to the infrastructure software connecting your network. When Black Basta introduces a new technique exploiting a vendor product in your stack, Safeguard.sh ensures you know about the vulnerability and can respond before exploitation occurs.

The platform's policy engine allows you to enforce security standards across your supply chain, ensuring that each component meets your security requirements throughout its lifecycle — not just at procurement time, but continuously as new threats emerge.

Black BastaRansomwareContiQakbot
Back to all articles

Related articles in Ransomware

Ransomware

Fog Ransomware: Why the Education Sector Keeps Getting Hit

Fog ransomware has carved a niche targeting schools and universities, exploiting chronic underfunding and SonicWall VPN vulnerabilities to devastating effect.

January 14, 2025Read
Ransomware

Play Ransomware: Supply Chain Exploitation Through Managed Service Providers

Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.

November 15, 2024Read
Ransomware

Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move

Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.

November 5, 2024Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.