Black Basta

black-basta · primary source: Other · first observed 2022 · last observed 2025

?? · UnknownRansomwareModerate confidencelast cited Feb 10, 2025 · 1.3y ago

Russian-speaking closed-affiliate ransomware operation widely assessed as a Conti spinoff that began encrypting victims in April 2022, days before the Conti brand wound down following the February 2022 Conti Leaks. Affiliate roster reportedly includes former Conti (Wizard Spider) and REvil members. Heavy targeting of healthcare and U.S. critical-infrastructure sectors; pivoted in mid-2024 to a 'vishing + Microsoft Teams social-engineering' initial-access pattern. Internal chat logs leaked in February 2025 ('BlackBastaGPT' dataset) publicly exposed operations and accelerated the brand's fragmentation.

Aliases

UNC4393MandiantStorm-1811MicrosoftBlackBastaOther

Motivations

financial gain

Target sectors

healthcaremanufacturingfinancialconstructiongovernment

Target countries

USDEGBCAAUFRIT

Lineage & relationships

full graph →

Lineage of

Conti

Conti v2 builder + operator overlap

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Black Basta
Unknown
financial gain

Capability

Infrastructure

170.130.165.73
moereng.com
exckicks.com

Victim

healthcare
manufacturing
financial
US
DE
+1 more

MITRE ATT&CK techniques

T1486 T1490 T1566.004 T1219

Tools & malware

3 entries

Timeline

1 event

ReportHigh2025-02-11·Hudson Rock / open-source
Black Basta internal chat logs leaked (BlackBastaGPT dataset)
A leaker published 200,000+ internal Matrix chat messages from the Black Basta operation spanning September 2023 to September 2024. The dataset (subsequently indexed by researchers as 'BlackBastaGPT') exposed operator handles, internal disputes after a Black Basta affiliate compromised a Russian state-aligned victim, the operation's exploit and CVE-tracking process, and ties to the broader Conti-lineage ecosystem. The leak accelerated the brand's fragmentation and operator dispersion.
leakransomwareopen-source-intelligence

Indicators of compromise

4 indicators

defangedcsv

Type	Value	First seen	Source
IPv4	170[.]130[.]165[.]73 family · Black Basta Likely Black Basta Cobalt Strike infrastructure first seen October 14, 2024 per Table 7 of the November 8, 2024 update to AA24-131A.	Oct 13, 2024	CISA
Domain	moereng[.]com family · Black Basta Suspected Black Basta Cobalt Strike domain first seen October 9, 2024 and listed in Table 8 of the November 8, 2024 update to joint FBI/CISA/HHS/MS-ISAC advisory AA24-131A. Black Basta is a Conti-spinoff RaaS that hit more than 500 organizations across 12 critical-infrastructure sectors, including healthcare.	Oct 8, 2024	CISA
Domain	exckicks[.]com family · Black Basta Suspected Black Basta Cobalt Strike domain first seen October 2, 2024, listed alongside moereng.com in Table 8 of the November 8, 2024 update to AA24-131A.	Oct 1, 2024	CISA
Name	readme.txt family · Black Basta Black Basta ransom note filename described in AA24-131A; the note omits a payment amount and directs victims to a .onion site (Basta News). Encrypted files receive a .basta or random extension after ChaCha20+RSA-4096 encryption.	May 9, 2024	CISA

Related actors

shared ATT&CK techniques

?? · UnknownBlackSuit3 shared techniques
RU · RussiaConti3 shared techniques
RU · Russia8Base2 shared techniques
- T1486
- T1490
?? · UnknownAkira2 shared techniques
- T1486
- T1490
?? · UnknownALPHV/BlackCat2 shared techniques
- T1486
- T1490
RU · RussiaDarkSide2 shared techniques
- T1486
- T1490

References

#StopRansomware: Black Basta (AA24-131A)
CISA · 2024-05-10

cite this page

Threat Intel Tracker. (2026-05-19). Black Basta — actor profile. Retrieved from https://threatintel.local/actors/black-basta

latest cited activity · 2025-02-11 · 4 cataloged indicators