BlackBasta
Black Basta is a financially motivated ransomware group that launched in February 2022 and is described in the content as a successor to the Conti ransomware gang, with reporting and assessments linking its leadership and ecosystem to former Conti operators. It was one of the most active ransomware groups after its emergence and operated as a closed ransomware-as-a-service model. The group used double-extortion tactics, encrypting victim data and operating a dark web leak site to publish stolen data and pressure victims. Reporting in the content also notes Black Basta encrypted data and defaced victim systems to maximize impact. The content links Black Basta to Qakbot-enabled intrusion activity and notes a strong correlation between Qakbot campaigns and the Black Basta ecosystem. It also associates Black Basta tradecraft with spam bombing, Microsoft Teams phishing/social engineering, impersonation of IT support, and abuse of Quick Assist for remote access. Additional tooling and infrastructure tied to Black Basta in the content include use of GhostSocks as a proxy tool and reliance on Media Land, also known by its underground name Yalishanda, for infrastructure and support. The leaked internal chats exposed negotiation transcripts, internal operational discussions, and communications between operators and victims. Black Basta is described as having dissolved or collapsed in February 2025 after its internal chat logs were leaked publicly online. Multiple reports in the content state that former Black Basta affiliates or initial access brokers continued operations after the group’s collapse, including activity linked to Cactus and Payouts King, with some later campaigns assessed as evolutions of Black Basta tactics, techniques, and procedures. Known alias in the provided content: blackbasta.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
8 malware families attributed to this actor across reporting.
3 additional families tracked in Mallory.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Defunct ransomware group whose former affiliates are described as continuing operations under other banners, including alignment with Payouts King. The content notes similar attack patterns and social engineering playbooks between BlackBasta and Payouts King campaigns.
Ransomware group whose TTPs are described as continuing in related campaigns using Teams/Quick Assist social engineering and the A0Backdoor payload, despite the group's reported dissolution.
Referenced as the prior affiliate ecosystem linked to GOLD ENCOUNTER operators.
Former members associated with BlackBasta, specifically initial access brokers, are described as conducting new attacks involving large-scale data theft and selective deployment of Payouts King ransomware.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.