Black Basta

New in April 2022, the group is known for their double extortion attacks, threatening victims to pay a demanded ransom or risk having stolen data slowly leaked on a dedicated data leak site (“DLS”), ‘Black Basta Blog.’ The group has been observed to target high-value organizations, with many victims based in the US, focusing on the construction and manufacturing industries. The group targets a wide span of organizations, also including real estate, business services, and chemicals. The Black Basta encryptor appears to be a console-based executable ransomware, needing to be run with administrative privileges to execute properly. Once encryption is complete, the ransomware will change the wallpaper to display a message to the victim, displaying further instructions are in a ‘readme.txt’ file. The .txt file will also contain a link and a unique ID required to log in to their dedicated negotiation chat session. Speculations have risen that this group may be a rebrand of a once-formed group.