BLACKBASTA

RANSOMWARE

BLACKBASTA primarily targets organizations within the technology sector and critical infrastructure, leveraging vulnerabilities in widely used products such as ConnectWise ScreenConnect and VMware ESXi to gain initial footholds. The group's typical attack vector involves spear-phishing emails containing malicious attachments, which they use to deploy tools like Cobalt Strike for lateral movement and privilege escalation. Once inside a network, BLACKBASTA employs double extortion tactics by exfiltrating sensitive data before encrypting it with custom ransomware, often leaving behind backdoors for future access. This group stands out due to its sophisticated use of legitimate administrative tools and its ability to manipulate domain policies effectively.

BLACKBASTA's technical footprint is characterized by a preference for exploiting critical vulnerabilities in server-side components like Windows Active Directory and remote management services. Their exploitation of CVE-2024-1709, which scores a CVSS 10.0, highlights their focus on high-severity vulnerabilities that can lead to full system control. The group's use of Mimikatz for credential harvesting and Metasploit for exploiting service execution demonstrates a high level of technical sophistication. Defenders should prioritize patch management, especially for critical CVEs like those affecting Windows NetLogon and Print Spooler services, as well as implementing robust phishing awareness training to mitigate the risk of initial compromise through spear-phishing attacks.

CISA Intelligence #StopRansomware

#StopRansomware: Black Basta · 2024-11-08

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Confirmed CVEs (7)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2024-1709 CRITICAL ConnectWise ScreenConnect 10.0 CVE-2024-26169 HIGH Microsoft Windows 10 Version 1809 7.8 CVE-2021-1675 HIGH Microsoft Windows 10 Version 1809 7.8 CVE-2022-30190 HIGH Microsoft Windows 10 Version 1809 7.8 CVE-2021-42278 HIGH Microsoft Windows Server 2019 7.5 CVE-2024-37085 HIGH VMware ESXi 7.2 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 5.5

Predicted CVEs (93) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2020-1350 CRITICAL Microsoft Windows Server predicted 10.0 CVE-2020-0796 CRITICAL Microsoft Windows 10 Version 1903 for 32-bit Systems predicted 10.0 CVE-2024-1709 CRITICAL ConnectWise ScreenConnect predicted 10.0 CVE-2024-49035 CRITICAL Microsoft Partner Center predicted 9.8 CVE-2026-41089 CRITICAL Microsoft Windows Server 2012 predicted 9.8 CVE-2020-0646 CRITICAL Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 predicted 9.8 CVE-2024-21413 CRITICAL Microsoft Office 2019 predicted 9.8 CVE-2024-43468 CRITICAL Microsoft Configuration Manager predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2024-21410 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 23 predicted 9.8 CVE-2023-23397 CRITICAL Microsoft Office LTSC 2021 predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2021-31166 CRITICAL Microsoft Windows 10 Version 2004 predicted 9.8 CVE-2025-59287 CRITICAL Microsoft Windows Server 2012 predicted 9.8 CVE-2020-3992 CRITICAL VMware ESXi predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2025-24989 CRITICAL Microsoft Power Pages predicted 9.8 CVE-2021-38647 CRITICAL Microsoft Open Management Infrastructure predicted 9.8 CVE-2026-20963 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2023-29357 CRITICAL Microsoft SharePoint Server 2019 predicted 9.8 CVE-2021-34473 CRITICAL Microsoft Exchange Server 2013 Cumulative Update 23 predicted 9.1 CVE-2021-26855 CRITICAL Microsoft Exchange Server 2016 Cumulative Update 19 predicted 9.1 CVE-2020-1040 CRITICAL Microsoft Windows Server predicted 9.0 CVE-2020-0688 HIGH Microsoft Exchange Server 2013 predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2021-27085 HIGH Microsoft Internet Explorer 11 predicted 8.8 CVE-2022-26923 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2022-41128 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2023-32049 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2023-21529 HIGH Microsoft Exchange Server 2019 Cumulative Update 12 predicted 8.8 CVE-2023-35311 HIGH Microsoft 365 Apps for Enterprise predicted 8.8 CVE-2023-36025 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2024-38189 HIGH Microsoft Office 2019 predicted 8.8 CVE-2024-29988 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2024-43461 HIGH Microsoft Windows 11 Version 24H2 predicted 8.8 CVE-2024-30040 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-33053 HIGH Microsoft Windows 10 Version 1507 predicted 8.8 CVE-2025-33073 HIGH Microsoft Windows 10 Version 1507 predicted 8.8 CVE-2026-21513 HIGH Microsoft Windows 10 Version 1607 predicted 8.8 CVE-2026-21510 HIGH Microsoft Windows 10 Version 1607 predicted 8.8 CVE-2020-1020 HIGH Microsoft Windows predicted 8.8 CVE-2020-0618 HIGH Microsoft SQL Server predicted 8.8 CVE-2021-42321 HIGH Microsoft Exchange Server 2016 Cumulative Update 21 predicted 8.8 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2022-41040 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.8 CVE-2022-41080 HIGH Microsoft Exchange Server 2016 Cumulative Update 23 predicted 8.8 CVE-2021-34527 HIGH Microsoft Windows 10 Version 1809 predicted 8.8 CVE-2023-21529 HIGH Microsoft Exchange Server 2019 Cumulative Update 12 predicted 8.8 CVE-2026-45659 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2024-1708 HIGH ConnectWise ScreenConnect predicted 8.4 CVE-2020-17144 HIGH Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 predicted 8.4 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2020-0601 HIGH Microsoft Windows predicted 8.1 CVE-2024-21412 HIGH Microsoft Windows 11 version 21H2 predicted 8.1 CVE-2024-43573 HIGH Microsoft Windows 10 Version 22H2 predicted 8.1 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2022-41082 HIGH Microsoft Exchange Server 2013 Cumulative Update 23 predicted 8.0 CVE-2024-26169 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2023-28252 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2021-1675 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2022-30190 HIGH Microsoft Windows 10 Version 1809 predicted 7.8 CVE-2020-0787 HIGH Microsoft Windows predicted 7.8 CVE-2021-27059 HIGH Microsoft Office 2016 predicted 7.6 CVE-2024-21351 HIGH Microsoft Windows 11 Version 23H2 predicted 7.6 CVE-2025-30397 HIGH Microsoft Windows 10 Version 1507 predicted 7.5 CVE-2024-38112 HIGH Microsoft Windows 10 Version 22H2 predicted 7.5 CVE-2023-36884 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2020-0968 HIGH Microsoft Internet Explorer 9 predicted 7.5 CVE-2023-36884 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2021-33742 HIGH Microsoft Windows 10 Version 1809 predicted 7.5 CVE-2024-29059 HIGH Microsoft .NET Framework 4.8 predicted 7.5 CVE-2021-42278 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-36942 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-36942 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2023-38180 HIGH Microsoft ASP.NET Core 2.1 predicted 7.5 CVE-2021-42287 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-42287 HIGH Microsoft Windows Server 2019 predicted 7.5 CVE-2021-33766 HIGH Microsoft Exchange Server 2019 Cumulative Update 9 predicted 7.3 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2023-24955 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2023-24955 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2024-37085 HIGH VMware ESXi predicted 7.2 CVE-2021-31196 HIGH Microsoft Exchange Server 2019 Cumulative Update 9 predicted 7.2 CVE-2021-43890 HIGH Microsoft App Installer predicted 7.1 CVE-2021-43890 HIGH Microsoft App Installer predicted 7.1 CVE-2021-34448 MEDIUM Microsoft Windows 10 Version 1809 predicted 6.8 CVE-2021-31207 MEDIUM Microsoft Exchange Server 2013 Cumulative Update 23 predicted 6.6 CVE-2024-38213 MEDIUM Microsoft Windows 10 Version 1809 predicted 6.5

ATT&CK Techniques (9)

T1566.001 Phishing: Spear phishing Attachment Initial Access T1047 Windows Management Instrumentation Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1569.002 System Services: Service Execution Execution T1098 Account Manipulation Persistence T1136 Create Account Persistence T1484.001 Domain Policy Modification: Group Policy Modification Privilege Escalation T1543.003 Create or Modify System Process: Windows Service Privilege Escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking Privilege Escalation