What is Black Basta ?

Black Basta is a cybercrime cartel which operates in a Ransomware-as-a-Service (RaaS) model. Black Basta first emerged in April 2022, possibly as an offshoot of the now-defunct Conti ransomware gang, targeting a wide range of sectors, including healthcare, finance, manufacturing, and critical infrastructure. By late 2023, Black Basta had become one of the most prolific ransomware groups worldwide, with estimates suggesting over $100 million extorted from its victims. Despite setbacks like the Qakbot takedown in August 2023—on which Black Basta heavily relied for initial access—the group adapted by leveraging alternative entry points, maintaining a steady stream of high-profile attacks into 2024.

Its list of more than 500 victims spans organizations of all sizes, from small and medium-sized businesses to large multinational corporations such as the Hyundai Europe, Capita, and the American Dental Association. In May 2024, the group was responsible for the devastating attack on Ascension Health, one of the largest healthcare networks in the USA, resulting in significant disruptions of clinical operations and patient care. 

With its RaaS operating model, BlackBasta comprises a core team responsible for maintaining the ransomware infrastructure and developing new tools, alongside a network of affiliates who execute the attacks and usually receive 70-80% of the ransom payments. However, in contrast to other RaaS groups, it seems that BlackBasta operates in a somewhat hierarchical structure, with roles divided among core developers, negotiators, and infrastructure managers. 

Black Basta employs a double extortion strategy, in which the victim’s systems are not only encrypted but also its data stolen, with the threat of sale if a ransom is not paid. In some cases, they even added a triple extortion layer, threatening DDoS attacks if unpaid. Originally Qakbot-dependent, the group developed a toolkit of initial access methods, including phishing emails, malicious attachments, and leveraging compromised credentials. However, as noted by CISA and the FBI,  over the past year the group has growingly focused on vulnerability exploitation, following a common trend among significant ransomware groups. 

Black Basta has consistently exploited a range of critical vulnerabilities to gain initial access and escalate privileges within targeted networks. Their exploitation strategy focuses on both recently disclosed and older, unpatched flaws, targeting widely used platforms to maximize impact. A notable example includes their use of a notorious vulnerability in ConnectWise ScreenConnect (CVE-2024-1709), which allowed them to compromise Managed Service Providers (MSPs) and access multiple client networks through a single breach. The group has also leveraged privilege escalation flaws in Microsoft Windows (CVE-2024-26169) and exploited older vulnerabilities like PrintNightmare and NoPac (CVE-2021-42278 and CVE-2021-42287) to move laterally within compromised environments. 

Black Basta’s leaked internal chats 

On February 11, 2025, over 200,000 internal Black Basta chat messages were leaked online, exposing some of the group’s internal workings from September 2023 to September 2024. The leaker, whose identity remains unknown, reportedly released the logs as retaliation for Black Basta targeting Russian banks. 

The leaked messages revealed profound internal conflicts, particularly involving a key figure known as "Tramp". Disputes over profit-sharing, operational mismanagement, and unethical practices—like scamming victims by accepting ransom payments without providing valid decryptors—were laid bare. This leak also revealed a mass exodus of affiliates, significantly weakening the group's structure.

Within the chats, Black Basta members discussed numerous potential targets, including three Fortune 500 companies — T-Mobile, Bank of America, and the NFL. The group also extensively dealt with the successful attack on Ascension, with some members claiming that its severe consequences, such as diverted ambulances and canceled surgeries, were unintended.

What can be learned about vulnerability exploitation? 

_{The leak of 200,000 internal messages revealed references to 27 CVEs (see Appendix A), with seven confirmed as successfully exploited (see Appendix B),} including a RCE flaw in Zimbra (CVE-2022-27925), the widely exploited PAN-OS vulnerability (CVE-2024-3400), and a Linux Local Privilege Escalation flaw (CVE-2024-1086). Beyond these, Black Basta also actively monitored high-profile vulnerabilities like Log4Shell, Follina, and Spring4Shell.

According to the chats, it seems that the group explored zero-day development but, in most cases, these efforts were abandoned: an iOS Passcode Bypass flaw was deprioritized due to limited exploitability, an RCE Outlook zero-day was shelved because of testing challenges, and a Juniper SRX Firewall RCE was dropped after difficulties with post-exploitation creation of SSH users.

On the other hand, the leak highlights Black Basta’s agility in weaponizing one-day vulnerabilities. For example, the group began discussing the Zimbra flaw seven months after its disclosure but modified a public PoC and started in-the-wild exploitation within two days only. In the case of the PAN-OS vulnerability, it developed and validated its own exploit within four days after its public disclosure.

_{The leaked chats revealed internal disagreements among Black Basta members about exploitation strategies}. Debates surfaced over whether to rely on public exploits or invest in private development, with some members expressing hesitance about using public code. There were also disputes about the amount of resources to allocate to customizing public Python exploits.

_{The messages also provide deep insight into the group’s methods.} For CVE-2024-3400, an affiliate provided a Python exploit script that was either developed or obtained as a working PoC. The exploit was tested and confirmed functional, while public GitHub PoCs were dismissed as fake or ineffective. Black Basta even commercialized the exploit, offering it for sale at $15,000. Then, they used Shodan to identify vulnerable instances, finding 43,000 potential targets; and integrated the exploit into Core Impact, a penetration testing framework, to streamline execution—focusing particularly on GlobalProtect VPN infrastructures. Members suggested that successful exploitation could grant root access to the target firewall, enabling deeper network infiltration. At the end, the exploit allowed arbitrary file creation, consistent with public reports on the vulnerability.

_{The leak also exposed several failed attempts to develop exploits.} The group encountered issues with SSH connection timeouts, a Python-based reverse shell exploit was detected and blocked by security tools, and Core Impact deployments faced challenges due to misconfigured targets. An exploit targeting win32kbase.sys was particularly problematic, as failed attempts required a system reboot before retrying, limiting its usability.

Vigilance and protection against the ongoing threat

Although Black Basta appears to be in decline, the group remains active and continues to pose a significant threat to organizations globally. Cybersecurity leaders should consider transforming their traditional vulnerability management strategies to more readily identify what are actually the most pressing threats facing their organization.

Traditional VM emphasizes CVSS, which is a generic measure of risk and cannot possibly consider the unique IT context of a specific organization. By adding IT context, organizations have a far more accurate assessment of its risk. In turn, resource-constrained (read, “all”) security teams can better prioritize their backlog and target what are actually their most pressing vulnerabilities. 

As if to punctuate this point, Ghost, another ransomware actor that is subject of recent FBI guidance, exploited a vulnerability dating back to 2009; how many organizations failed to patch solely because its CVSS score was a relatively middling 6.5?

Guidance for Zafran Customers

Zafran customers can regularly assess and mitigate exposure to Black Basta as follows:

1. In the Zafran management console, navigate to the Vulnerabilities page.
2. Filter on Black Basta by
   
   1. Click “+ Add Filter” > In-The-Wild Threat > Associated Threat Groups
   2. Scroll to select “Black Basta” and click Close
3. Follow the prescribed mitigation actions for the prioritized list.

Alternatively, Zafran users can create a dedicated exposure tracker, such as monitoring assets that lack EDR coverage and are vulnerable to Black Basta exploits. This will help measure proactive improvement efforts against this threat group over time.

Additionally, through our analysis of Black Basta’s leaked data, we have been able to identify a list of 11 IP addresses associated with the group’s operations (see Appendix C). While some of these IPs may have since been replaced, it is advisable to implement firewall rules to block access from any of the identified addresses, enhancing your network’s security posture.

Conclusion

Black Basta’s future has yet to be written, though it is certain that even if they falter another threat group will rise to take its place. The threat landscape changes quickly. The need to transform vulnerability management processes and technology is more urgent now than ever, if defenders are to keep stride with financially-motivated, persistent, and increasingly sophisticated threat actors.

If you would like to learn how Zafran Security helps its customers identify their most pressing threats, and operationalize risk mitigation strategies for near-term relief that does not depend solely upon patching, please contact us. Or simply click Get a Demo.

‍Appendix A - Black Basta discussed CVEs

1. CVE-2022-30190 - Follina
2. CVE-2021-44228 - Log4Shell
3. CVE-2022-22965 - Spring4Shell
4. CVE-2022-1388 - F5 BIG-IP RCE
5. CVE-2022-0609 - Google Chrome Zero-Day
6. CVE-2017-11882 - Microsoft Office Equation Editor RCE
7. CVE-2022-41082 - ProxyNotShell
8. CVE-2022-41040 - ProxyNotShell
9. CVE-2022-27925 - Zimbra Collaboration Suite RCE
10. CVE-2022-41352 - Zimbra Collaboration Suite Arbitrary File Upload
11. CVE-2022-26134 - Atlassian Confluence RCE
12. CVE-2022-30525 - Zyxel Firewall RCE
13. CVE-2024-21762 - Fortinet FortiOS RCE
14. CVE-2024-3400 - Palo Alto Networks GlobalProtect RCE
15. CVE-2024-1709 - ConnectWise ScreenConnect Authentication Bypass
16. CVE-2024-21413 - Microsoft Outlook RCE
17. CVE-2024-1086 - Linux Kernel LPE
18. CVE-2024-26169 - Windows Local Privilege Escalation
19. CVE-2024-23897 - Jenkins Arbitrary File Read
20. CVE-2023-20198 - Cisco IOS XE Web UI Command Injection
21. CVE-2023-22515 - Atlassian Confluence Privilege Escalation
22. CVE-2023-42793 - JetBrains TeamCity RCE
23. CVE-2023-6875 - GLPI Arbitrary File Upload
24. CVE-2023-35628 - Microsoft Outlook Zero-Click RCE
25. CVE-2022-37042 - Zimbra Authentication Bypass
26. CVE-2024-23108 - FortiSIEM Command Injection
27. CVE-2024-23109 - FortiSIEM Critical OS Command Injection

‍Appendix B - Black Basta’s confirmed exploitations

1. CVE-2022-27925 – Zimbra Collaboration Suite RCE​
2. CVE-2024-3400 – Palo Alto PAN-OS GlobalProtect RCE​
3. CVE-2024-1086 – Linux Kernel Local Privilege Escalation 
4. CVE-2024-26169 - Windows Local Privilege Escalation
5. CVE-2024-21762 – FortiGate SSL VPN RCE​
6. SonicPanel PreAuth RCE 
7. D-Link NAS Exploit 

‍Appendix C - IOCs extracted from Black Basta’s internal messages

1. 13.57.243[.]97 – Used for multiple services such as Shell, Socks, and FTP connections.
2. 80.190.144[.]76 – Associated with Germany (DE).
3. 58.171.144[.]24 – Mentioned in connection with ESXi access.
4. 5.8.18[.]20 – Used for SOCKS proxy connections (ports 3026, 3027, and 3037).
5. 173.165.28[.]121 – Referenced with port 4433 for scanner service.
6. 66.170.47[.]42 – Mentioned with port 10443 for user access.
7. 210.105.97[.]135 – Referenced for policy management.
8. 210.105.97[.]182 – Another IP for policy management.
9. 79.141.1[.]193 – Used for SSL VPN logins.
10. 79.141.8[.]42 – Another SSL VPN endpoint.
11. 188.39.50[.]90 – Associated with AnyConnect VPN access.

‍