Black Basta: The Tactics and Techniques of Formidable Hackers
Image generated with Le Chat from Mistral AI

Black Basta: The Tactics and Techniques of Formidable Hackers

Ransomware cyberattacks have become a persistent threat to businesses and institutions. Among the most active groups, Black Basta has distinguished itself by compromising numerous infrastructures worldwide, leveraging advanced intrusion and malware deployment techniques. Understanding their methods helps strengthen cybersecurity and anticipate future cybercriminal strategies.

With this in mind, the tool BlackBastaGPT was developed to analyze internal communications between Black Basta members, which were revealed in a leak of 200,000 messages spanning from September 2023 to September 2024. By leveraging these thousands of messages, this tool precisely identifies the tactics, techniques, and procedures (TTPs) employed. The goal is to provide a deeper understanding of their operations, highlight their preferred attack methods, and propose protective measures against emerging threats.

This article delves into the various approaches used by Black Basta, from initial network infiltration to ransomware deployment, including persistence strategies and evasion techniques. By analyzing data from BlackBastaGPT, it becomes possible to decipher hacker trends and assess whether your company is a potential target by identifying exploited vulnerabilities and the strategies favored by cybercriminals.

1. Initial Access: How Does Black Basta Infiltrate Systems?

Initial infiltration is a crucial step for Black Basta, as the group seeks to establish a foothold within the target network. To achieve this, they employ various methods aimed at bypassing security mechanisms and gaining privileged access. Analysis of their internal communications highlights three main approaches:

Exploiting Compromised RDP and VPN Credentials

One of the most common attack vectors involves using stolen credentials to access systems via exposed services, particularly Remote Desktop Protocol (RDP) and virtual private networks (VPNs). These credentials can be obtained through various means:

  • Purchasing them from underground marketplaces where authentication databases are sold.
  • Using credential stuffing, a technique that tests credentials from previous data breaches across multiple services.
  • Exploiting weak or unchanged passwords, which makes it easier to access administrator or user accounts.

Once valid access is obtained, Black Basta typically conducts an initial reconnaissance of the network to identify critical machines and assess the attack surface.

Social Engineering and Voice Phishing (Vishing)

The group also employs social engineering techniques to obtain legitimate access. One frequently mentioned method in their communications is vishing (voice phishing). This involves contacting employees of a targeted company while impersonating IT support or a technical service provider. The goal is to obtain login credentials or persuade the victim to perform specific actions, such as installing malware or modifying their login settings.

This approach is supported by information gathered from public sources or compromised databases, enabling attackers to craft a credible and personalized script.

Targeting Vulnerable Critical Infrastructure

Virtualized infrastructures and remote access services are prime targets for Black Basta, particularly VMware ESXi servers. Exploiting vulnerabilities in these hosts allows attackers to gain access to multiple virtual machines without needing to infiltrate each system individually.

Beyond ESXi, Black Basta actively targets other critical software and infrastructure:

  • Jenkins: IP addresses associated with Jenkins are collected, suggesting an intent to exploit vulnerabilities or access continuous integration pipelines.
  • Citrix: Mentions of bots linked to Citrix and access to Citrix VPN portals indicate potential exploitation of these systems.
  • Windows RDP and Remote Desktop Services (RDS): Remote access via RDP is another target, with credentials and access being shared on administrative portals.
  • SSH and Linux-based systems: The use of SSH commands and the presence of credentials linked to Linux environments suggest compromises of online servers.
  • Web servers and various infrastructures: Several discussions reference IP addresses and ports associated with web services, indicating potential exploitation attempts or system takeovers.

Some internal discussions reveal that Black Basta actively monitors the release of security patches and targets infrastructures that have not applied critical updates. This strategy allows them to exploit known vulnerabilities before system administrators can patch them, maximizing their chances of success.

Recommended Defensive Measures

  • Strengthen authentication for sensitive access points:
    • Enable multi-factor authentication (MFA) on RDP, Citrix VPN, and SSH connections to mitigate the risk of stolen credentials.
    • Restrict RDP and SSH access to authorized IP addresses only, and consider using a secure bastion host.
    • Limit access to Jenkins and ESXi management interfaces by enforcing IP restrictions and strong authentication.
  • Enhance monitoring of suspicious activity:
    • Implement audit logs to detect unauthorized access attempts or unusual activity.
    • Configure login alerts to notify administrators of access from unusual locations.
  • Secure virtualized and cloud environments:
    • Apply security patches promptly on ESXi, Jenkins, and Citrix hosts, and stay updated on new vulnerabilities.
    • Restrict access to hypervisor administration consoles (ESXi), Jenkins services, and Citrix VPNs using strong authentication and strict access controls.
    • Regularly review SSH access configurations and ensure that no unauthorized keys are active.

By implementing these measures, organizations can significantly reduce the risk of intrusion and detect malicious access attempts more effectively.

2. Execution: Deploying Malicious Software

Once access to the target network is established, Black Basta proceeds with deploying malicious software to take control of systems and prepare for ransomware activation. This phase relies on stealthy mechanisms that allow malicious code execution while minimizing detection by security solutions.

Use of Malicious Scripts and DLLs

One of the group’s preferred methods for executing code is leveraging malicious dynamic link libraries (DLLs), often loaded by legitimate system processes. Commands such as:

rundll32.exe dll.dll,Enter
Powershell

have been observed in the group’s internal communications. The rundll32.exe tool, a legitimate Windows executable, allows functions within DLL files to be executed, making this method effective in bypassing certain security solutions.

Additionally, Black Basta exploits other native Windows tools like regsvr32.exe, which can also execute DLLs without immediately triggering suspicion from security defenses.

VBS Scripts for Automated Execution

Automation plays a crucial role in malware deployment. Black Basta utilizes Visual Basic Script (VBS) scripts to discreetly execute commands and evade behavior-based detection mechanisms. These scripts enable:

  • Downloading and executing additional payloads.
  • Establishing connections to command and control (C2) servers.
  • Modifying system settings to facilitate attack persistence.

VBS scripts are often executed alongside other native scripting languages like PowerShell or Batch, providing increased flexibility in orchestrating malicious actions.

Recommended Defensive Measures

  • Restrict the Execution of Unsigned Scripts:
    • Configure Group Policy (GPO) settings to prevent the execution of unsigned VBS and PowerShell scripts.
    • Enable Windows Script Host Restrictions to limit VBS exploitation.
  • Block the Use of Remote Administration Tools:
    • Restrict or monitor the usage of rundll32.exe and regsvr32.exe to prevent malicious DLL execution.
    • Disable PowerShell, Windows Management Instrumentation (WMI), and other remote administration tools when not needed.
  • Monitor Suspicious Behavior:
    • Implement alerts to detect unusual script execution or administrative tool abuse.
    • Enable Windows Event Logging (Event ID 4688) to track suspicious process executions.

By applying these measures, organizations can significantly reduce the risk of malicious script execution and strengthen their security posture against Black Basta’s attacks.

3. Persistence: Maintaining Long-Term Access

After infiltrating a network, Black Basta aims to ensure long-term access to the targeted infrastructure. This persistence phase is crucial for maximizing the attack’s impact, enabling remote control, and preventing loss of access due to system reboots or defensive measures taken by the targeted organization. To achieve this, the group employs various mechanisms to maintain its presence within the compromised environment.

Deployment of Bots and Command & Control Servers

Once the initial malware is executed, Black Basta establishes bots capable of communicating with command and control (C2) servers. These servers allow attackers to:

  • Receive updates on the status of the compromised network.
  • Send instructions to infected machines, such as executing new malware or collecting sensitive information.
  • Deploy additional modules based on the targeted environment and detected security measures.

Communications between bots and C2 servers are often encrypted and use legitimate protocols to mask malicious traffic. In some cases, attackers rely on communication infrastructures based on Tor or legitimate cloud services to complicate detection and block connections.

Access via SOCKS Proxies to Bypass Restrictions

Black Basta also uses SOCKS5 proxies to maintain persistent connectivity with compromised machines. These proxies allow attackers to route their traffic through infected hosts, making it harder to identify their true origin. This method provides several advantages:

  • Avoiding detection by firewalls and security solutions monitoring suspicious outbound connections.
  • Concealing malicious activity by blending traffic with legitimate enterprise network flows.
  • Enabling remote access without relying on VPNs or other more easily detectable methods.

The use of SOCKS proxies is often combined with tools such as ngrok or reverse shells, enabling attackers to establish secure tunnels for controlling compromised machines without raising suspicion.

Recommended Defensive Measures

  • Monitor and Audit Network Connections:
    • Identify and block outbound connections to suspicious IP addresses or domains known to be associated with C2 infrastructure.
    • Implement detection mechanisms for unusual encrypted tunnels, particularly by analyzing network flows and abnormal communication patterns.
  • Strict Management of Accounts and Privileges:
    • Disable or remove inactive user accounts, which could be exploited to establish persistent access.
    • Apply the principle of least privilege, limiting administrator rights and monitoring unusual privilege escalations.
  • Restrict Tools Used for Persistence:
    • Disable or limit the use of remote administration tools and protocols if they are not essential.
    • Implement advanced logging for remote access and monitor unusual activity, particularly for RDP and SSH connections.

By implementing these measures, organizations can reduce Black Basta’s ability to maintain persistent access and improve early detection of potential compromises.

4. Credential Access: Theft of Passwords and Credentials

Gaining access to user and administrator credentials is a critical step for Black Basta. By compromising legitimate accounts, attackers can move freely within the network, bypass security measures, and execute malicious actions with elevated privileges. Several techniques are used to extract and exploit these credentials.

Password Dumping and Exploitation of Cracking Services

Black Basta utilizes specialized tools to extract passwords stored in memory or system databases. Commonly observed techniques include:

  • Extracting password hashes using tools such as Mimikatz or LSASS dumping, which retrieve authentication data from system memory.
  • Accessing SAM and NTDS databases on domain controllers, which store user credentials in a Windows network.
  • Using cracking services to brute-force extracted hashes and recover plaintext passwords, often leveraging databases of previously compromised credentials.

Once credentials are obtained, attackers attempt to reuse passwords across multiple systems, taking advantage of weak password rotation policies or insufficiently strict password requirements.

Retrieving Credentials Stored in Files and Browsers

Attackers also exploit authentication data stored locally by users. Several key vectors include:

  • Extracting saved passwords from web browsers, using tools that access credential storage databases in Chrome, Firefox, or Edge.
  • Searching for files containing credentials (text files, configuration files, automation scripts) left unprotected on workstations or network shares.
  • Stealing SSH keys and certificates stored on compromised machines, facilitating access to remote systems and critical resources.

This approach allows attackers to access internal and external services with legitimate credentials, reducing the likelihood of security alerts triggered by suspicious logins.

Recommended Defensive Measures

  • Strengthening Password Management:
    • Encourage the use of secure password managers, which store credentials in an encrypted manner and prevent password saving in browsers.
    • Implement a password renewal policy to limit the reuse of compromised credentials.
  • Monitoring and Restricting Access:
    • Deploy detection mechanisms for suspicious login attempts, particularly repeated authentication failures or logins at unusual times.
    • Restrict access to files containing sensitive information and monitor unauthorized access attempts.
  • Protecting Credentials in Memory and on Systems:
    • Enable Credential Guard on Windows systems to prevent in-memory credential extraction.
    • Restrict permissions on SAM and NTDS databases to limit access to password hashes.

By implementing these measures, organizations can reduce Black Basta’s ability to exploit credentials and enhance account security against compromise attempts.

5. Lateral Movement: Spreading Across the Network

Once an initial access point is established, Black Basta seeks to expand its presence within the target environment by moving laterally to other systems. This phase is crucial for maximizing the attack’s impact, gaining access to critical resources, and preparing for the final ransomware deployment. Attackers use several techniques to propagate while minimizing detection.

Exploiting Internal RDP Access and Stolen Accounts

One of the primary methods for lateral movement is leveraging Remote Desktop Protocol (RDP) connections within the network. By using stolen credentials obtained in earlier phases, Black Basta can:

  • Connect to other machines in the environment using administrator or technical accounts.
  • Identify systems with elevated privileges to gain access to critical data and services.
  • Install malicious tools or configure backdoors to ensure prolonged access.

This technique is especially effective when administrator accounts are reused across multiple machines without proper segmentation. Once in possession of these credentials, attackers can easily move from host to host without triggering obvious alerts.

Pivoting via SOCKS Proxies to Conceal Connections

Black Basta sets up SOCKS5 proxies to obscure their movements and facilitate communication between compromised machines. This approach allows them to:

  • Conceal the origin of connections by routing traffic through infected hosts, making it harder to detect malicious activities.
  • Bypass network restrictions using encrypted tunnels that circumvent internal firewall controls.
  • Access isolated network segments by leveraging already compromised machines with privileged access.

The use of these proxies is often combined with hijacked remote administration tools such as PsExec, WMI, or SSH, allowing attackers to execute commands on other hosts without direct interaction.

Recommended Defensive Measures

  • Strict Network Segmentation:
    • Isolate different environments (user workstations, servers, critical systems) to prevent unrestricted internal traffic flow.
    • Restrict RDP and SSH access, limiting their use to essential operational needs only.
  • Limit Administrative Access:
    • Enforce the principle of least privilege, ensuring administrator accounts are not used across multiple machines.
    • Disable shared accounts and implement strong authentication for sensitive access points.
  • Monitor Suspicious Connections:
    • Set up alerts for unusual RDP connections and repeated remote login attempts.
    • Identify and block unauthorized SOCKS proxies by analyzing network traffic and monitoring abnormal machine behavior.

By implementing these measures, organizations can limit Black Basta’s ability to move laterally within the network and detect any attempts at propagation more quickly.

6. Data Exfiltration: Theft and Transfer of Sensitive Data

Modern ransomware attacks, including those carried out by Black Basta, go beyond simple file encryption. Attackers adopt a double extortion strategy, which involves exfiltrating sensitive data before encrypting it. This technique increases pressure on victims by threatening to leak stolen information if the ransom is not paid.

Use of Dedicated File Servers

To centralize stolen data before transferring it outside the target network, Black Basta sets up temporary file servers within the compromised infrastructure. These servers, typically installed on already compromised machines, serve to:

  • Gather sensitive files from various systems.
  • Organize data based on its value (financial records, personal data, internal documents).
  • Prepare the exfiltration discreetly using commonly allowed network protocols (HTTP, FTP, WebDAV, SMB).

The goal is to avoid triggering immediate alerts by transferring data directly outside the network. Attackers typically wait until the final phase of the attack to send the collected files to their own remote servers.

Compression and Transfer in .zip or .7z Before Exfiltration

Once the data is selected, Black Basta uses compression tools to bundle the files and obscure their contents. Formats such as .zip or .7z are frequently used because they allow:

  • File size reduction, speeding up the transfer process.
  • Password-protected encryption, making analysis by security solutions more difficult.
  • Evasion of signature-based detection, as compressed files are not immediately readable by some monitoring tools.

Attackers then use various protocols to exfiltrate the files:

  • FTP or SFTP, when transfer servers are available.
  • Public cloud services (such as Mega, Google Drive, or Dropbox) to mask exfiltration within legitimate traffic.
  • Encrypted tunnels via SOCKS proxies or Tor to evade firewalls and threat detection solutions.

Recommended Defensive Measures

  • Monitor Large-Scale File Transfers:
    • Implement detection mechanisms for unusual data movements between internal machines and external destinations.
    • Configure alerts for excessive bandwidth usage or connections to unusual online storage services.
  • Encrypt and Protect Sensitive Data:
    • Apply internal encryption to critical files to limit data exploitation even if exfiltrated.
    • Implement strict access controls on sensitive files and restrict permissions to authorized users only.
  • Control Compression and Transfer Tools:
    • Restrict the execution of tools such as 7-Zip, WinRAR, or PowerShell Compress-Archive on machines where they are not required.
    • Block or monitor connections to unauthorized cloud storage services.

By implementing these measures, organizations can detect data exfiltration attempts more quickly and minimize the impact of a breach.

7. Impact: Encryption and Business Disruption

The Black Basta attack reaches its peak with the activation of ransomware, a stage designed to render data and systems inaccessible to victims. This phase finalizes the attack, making service restoration difficult without a rapid and well-planned response.

Deployment of Large-Scale Encryption Files

Black Basta’s ransomware is engineered for rapid file encryption across the compromised environment. It operates by:

  • Encrypting files on workstations and servers, prioritizing extensions linked to sensitive documents, databases, and operational files.
  • Using strong encryption algorithms (such as AES and RSA), making file recovery nearly impossible without the decryption key held by the attackers.
  • Deleting local backups, particularly Shadow Copies in Windows, to prevent quick file restoration.

The encryption process is often executed via automated scripts, ensuring rapid propagation across the network before security teams can respond effectively.

Blocking Access to Critical Systems

Beyond encrypting data, Black Basta aims to disrupt the target organization’s operations by restricting access to essential infrastructure. Attackers achieve this by:

  • Disabling or modifying administrator accounts to prevent IT teams from taking immediate corrective action.
  • Shutting down critical services, such as databases, business applications, and virtualized environments, to halt operations.
  • Altering network configurations, such as disabling firewalls or blocking remote connections, making technical intervention difficult.

This approach is designed to maximize pressure on the victim and coerce ransom payment in exchange for a supposed system restoration.

Recommended Defensive Measures

  • Implement a Robust Backup Strategy:
    • Follow the 3-2-1 backup rule: three copies of data on two different storage types, with at least one offline or immutable backup.
    • Regularly test restoration procedures to ensure rapid recovery in case of an incident.
  • Deploy Advanced Detection and Response Solutions:
    • Implement an Endpoint Detection and Response (EDR) solution to monitor and block suspicious encryption-related activities.
    • Use a Security Information and Event Management (SIEM) system to analyze event logs and detect early attack indicators.
  • Prevent Unauthorized Modifications:
    • Restrict administrative privileges to only essential accounts.
    • Enable Shadow Copy protection and monitor any attempts to delete or modify these backups.

By integrating these measures, organizations can mitigate the impact of a ransomware attack and increase the chances of system recovery without relying on the attackers.

8. Stealth: How Does Black Basta Evade Detection?

To maximize the effectiveness of its attacks, Black Basta employs advanced stealth techniques to bypass security solutions and delay the detection of its malicious activities. These strategies allow the group to remain operational longer within a compromised environment and minimize the chances of being stopped before achieving their objectives.

Testing Antivirus Services to Adjust Payloads

Before deploying their malicious payloads, attackers ensure they will not be immediately detected by cybersecurity solutions. To achieve this, Black Basta:

  • Tests its files and executables on online antivirus analysis platforms to evaluate detection rates.
  • Modifies payloads by regularly altering code, applying obfuscation techniques, or using packers to conceal the file’s true nature.
  • Uses dynamic signatures, generating unique malware versions for each deployment, rendering static signature-based detections ineffective.

This approach helps them bypass traditional security defenses and increase the success rate of their attacks.

Frequent Changes in Domains and Infrastructure

To prevent their command and control (C2) servers from being blocked, Black Basta implements a rapid infrastructure rotation mechanism. This strategy involves:

  • Registering new domains at regular intervals, often with automatically generated names to avoid recognition by cybersecurity teams.
  • Using proxy services and anonymized networks, such as Tor or redirection services, to obscure the actual location of their servers.
  • Deploying temporary servers, which remain active only for a short period before being abandoned and replaced.

By continuously renewing its infrastructure, Black Basta makes it harder to block malicious communications and prevents effective neutralization of its attack network.

Recommended Defensive Measures

  • Implement Threat Intelligence:
    • Integrate Threat Intelligence Feeds to monitor Indicators of Compromise (IoCs) in real-time.
    • Analyze new threat behaviors to quickly adapt detection rules.
  • Proactive Blocking of Malicious Domains:
    • Deploy DNS filtering solutions to automatically block domains associated with known attack infrastructure.
    • Monitor suspicious outbound connections and block those attempting to access unauthorized or unknown destinations.
  • Enhance Behavioral Detection Strategies:
    • Supplement signature-based detection with EDR/XDR solutions capable of identifying suspicious behaviors, even when malware files are obfuscated.
    • Monitor abnormal variations in network traffic that could indicate communication with C2 servers.

By combining these measures, organizations can reduce the effectiveness of Black Basta’s evasion strategies and improve early detection of attacks.

9. Conclusion

A Persistent Threat, but Defensible

The analysis of Black Basta’s tactics and techniques highlights the growing sophistication of cybercriminal groups and their ability to adapt to the security measures implemented by businesses and institutions. By studying their internal communications, we can gain deeper insight into their modus operandi and anticipate their attacks.

However, combating these threats is a delicate balance. The automation of cybercrime, the rise of “Ransomware-as-a-Service” (RaaS), and the continuous improvement of intrusion methods require ever more responsive and adaptive defenses. Continuous monitoring, the adoption of advanced detection solutions, and a proactive cybersecurity approach are now essential to minimizing the impact of attacks.

The BlackBastaGPT tool, by analyzing exchanges between cybercriminals, provides researchers and analysts with an additional means to identify emerging trends and strengthen defense strategies. But the question remains: are these efforts enough to counter attackers who benefit from a well-structured and resilient ecosystem?

A Losing Battle?

The case of the cryptocurrency heist at Bybit, where $1.4 billion in Ethereum was stolen, illustrates the complexity of the challenge. Despite massive security investments and the use of cutting-edge technologies, the platform was targeted and compromised. This incident raises broader questions about the effectiveness of current protection strategies and organizations’ ability to withstand increasingly sophisticated attacks.

Cybersecurity: Future Challenges and Perspectives

The evolution of threats like Black Basta reveals a growing asymmetry between attackers and defenders. While cybercriminals leverage automation, Ransomware-as-a-Service (RaaS), and structured underground economies, companies struggle to block every intrusion attempt. Given this reality, should the focus be on prevention, or should organizations invest more in resilience and rapid incident response?

Cybercrime thrives on anonymous cryptocurrency payments and a lack of international cooperation, making sanctions ineffective. The concept of a “Cyber NATO” could strengthen global coordination but raises governance and surveillance concerns. Similarly, banning ransom payments might deter attacks but could endanger businesses unable to recover their data.

Cybersecurity must evolve beyond mere protection: can we truly reverse the current trend, or must we adapt to a world where cyberattacks have become a permanent threat?

🎭 The Unusual Anecdotes of Black Basta

🏴‍☠️ The ESXi Server That Accepts Any Password

In one discussion, a member mentioned discovering an ESXi server so poorly secured that it accepted any password. They joked about it by testing passwords like “hahaha” and “mommy1”, before confirming they could access it without any restrictions.

💻 The Hacker Struggling with Jenkins

At one point, an attacker expressed frustration with Jenkins, complaining that it was too complex to exploit and suggesting they should “find another way.” Even cybercriminals have bad days!

📞 Fake IT Calls to Deceive Companies

One discussion explored the idea of calling companies while pretending to be IT support to gain access. They even considered setting up a dedicated call center for these scams.

🔄 The Struggles of Downloading Stolen Files

Multiple Black Basta members complained about issues downloading stolen files due to restrictions or limitations within their own infrastructure. Ironically, even hackers deal with network problems.

🤯 When a Black Basta Member Loses It

A message revealed a visibly frustrated member exclaiming “все нах”, which roughly translates to “I’ve had enough, this is nonsense”. A classic case of cybercriminal burnout.

💸 The Ransom Payment That Wouldn’t Go Through

One member complained about being unable to collect a ransom due to a “User claim error” on their admin panel. It’s hard to extort payments when your own system refuses to cooperate!

📁 The File That Won’t Decrypt

A hacker tried to decrypt a file but encountered an unusual error: “There is no magic at the end of the file.” A colleague suggested they might have used the wrong format… or missed something important.

🏴‍☠️ The Attack That Backfired

During a discussion about a compromised Citrix server, a hacker realized they had been hacked themselves due to a security oversight. They laughed it off, but it proved that even cybercriminals are not immune to cyberattacks.

🤦 The Hacker’s Frustration with Windows

One member complained that their exploit wasn’t working on Windows, resulting in a “flood of errors.” Another sarcastically replied: “That’s normal, it’s Windows—it never works as expected.”

These anecdotes show that despite their dangerous activities, the members of Black Basta are not immune to technical frustrations and unexpected setbacks.

Resources & References

These resources provide in-depth information to enhance your understanding of current threats and advanced security solutions.

Jean-Jerome Levy

Written by

Jean-Jerome Levy

DevOps Consultant

Seasoned professional in the field of information technology, I bring over 20 years of experience from working within major corporate IT departments. My diverse expertise has played a pivotal role in a myriad of projects, marked by the implementation of innovative DevOps practices.

Available for innovative DevOps projects!