ZeroFox Intelligence: Black Basta Ransomware Updates

1 minute read

First Seen: February 2022
Origin: Likely Russia; Russian-speaking
Motivation: Financial
Targeted Industries:  Automotive, Construction, Cosmetics, Finance, Government, Healthcare, Insurance, Manufacturing, Pharmaceuticals, Professional Services, Real Estate, Retail, Telecommunications, Transportation, and Utilities


Black Basta follows the ransomware-as-a-service (RaaS) model used by threat actors to infect and extort victims. Consistent with most ransomware collectives, Black Basta operators exfiltrate sensitive corporate data before encrypting devices and leverage double-extortion tactics, threatening to release the exfiltrated data if ransom demands are not met. The ransomware was identified in mid-April 2022 following the first reported incidents of compromise, though evidence indicates it was in development as early as February 2022.

The group also made its presence known on the Russian underground forum Exploit[.]in in late April; ZeroFox Intelligence observed a user with the name “Black Basta” posting an advertisement that offered to purchase and monetize access to corporate networks for a percentage of profits. According to the announcement, the actor was interested in organizations located in the United States, Canada, the United Kingdom (UK), Australia, and New Zealand.

Black Basta ransomware introduced some significant feature updates in November 2022, namely file encryption algorithms, the number of file extensions per victim, and stack-based string obfuscation, all of which likely providing them better evasion capabilities against antivirus and Endpoint Detection and Response (EDR).

Download the full assessment:

See ZeroFox in action