Examining the Black Basta Ransomware’s Infection Routine

Trend Micro -

Examining the Black Basta Ransomware’s Infection Routine


We analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.

By: Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Morales May 09, 2022 Read time:  ( words)

Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.

On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS and EXPLOIT.IN to advertise that it intends to buy and monetize corporate network access credentials for a share of the profits. The advertisement also specified that it was looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, which are all English-speaking countries. A report noted that malicious actors acquired stolen credentials from some darknet websites that peddle an enormous amount of exfiltrated data to the underground market.

On April 26, Twitter user PCrisk tweeted about the new Black Basta ransomware that appends the extension .basta and changes the desktop wallpaper.

Read More: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html