mor3intel logo
mor3intelThreat Intelligence
DashboardVictimsGroupsCountriesStatsATT&CKRulesIOC Lookup
InstagramTelegram
5 Active Threats
Back to Dashboard

Black Basta

active

Also known as: BlackBasta

Black Basta emerged in 2022 and is believed to be comprised of former Conti ransomware members. They use QakBot and other malware for initial access and are known for rapid encryption.

First Seen

2022-04

Last Activity

2025-01

Target Regions

2 regions

Industries

4 sectors

ManufacturingConstructionHealthcareTechnology
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Black Basta

Click on a phase to view details and MITRE ATT&CK technique IDs

Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Technique IDNameTacticDescriptionReference
T1566PhishingInitial AccessQakBot delivery via malicious documentsMITRE
T1486Data Encrypted for ImpactImpactChaCha20 encryption algorithmMITRE
Indicators of Compromise (IOCs)
Known IOCs associated with Black Basta operations
TypeValueDescriptionLast SeenActions
hashd4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5Black Basta ransomware2025-01-18
filenamereadme.txtRansom note—

IOCs are defanged for safety. Click copy to get the clean value.

Detection Guidance
SIEM and EDR detection recommendations for identifying Black Basta activity
  • 1
    Monitor for QakBot infection indicators
  • 2
    Detect Cobalt Strike beacon activity
  • 3
    Alert on Rclone execution
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
  • 1
    Block QakBot IOCs
  • 2
    Isolate affected systems
  • 3
    Disable network shares
mor3intel logomor3intel

This platform is intended for defensive cybersecurity, incident response, and recovery purposes only. Information provided is for educational and defensive use.

@mor3cod3@mor3cod3
© 2026 mor3intel