December 9, 2023

Black Basta ransomware has been linked to the notorious Russian cybercrime group known as FIN7.

Research Analysis of the operation indicated that the threat actor is developing their toolkit in-house and might be collaborating with a small number of affiliates.


Investigation of Black Basta has also limelighted the use of multiple tools created by one or more FIN7 developers, suggesting a tight connection with the cybercrime group.

Black Basta recent campaign involved spam emails containing macro-enabled Office documents designed to drop Qakbot for persistence.

The attackers by using backdoors will perform system reconnaissance using several tools that are executed manually, including the SharpHound and BloodHound frameworks, which allow for Active Directory enumeration via LDAP queries, and the SoftPerfect network scanner.

Then the operators attempt to exploit multiple known vulnerabilities to elevate their privileges, including NoPac, PrintNightmare and ZeroLogon.


Researchers observed the use of various RATs and relying on batch scripts for lateral movement. Upon execution of scripts allow them to cripple or completely disable security solutions, including a custom defense impairment tool that was used exclusively in some Black Basta attacks.

Researchers link Black Basta to FIN7 using multiple code artifacts in different tools used in ransomware attacks, the use of a custom packer, the use of FIN7-attributed PowerShell scripts, and infrastructure overlaps.

This research was documented by researchers from SentinelOne

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.