Call 24/7: +1 (800) 972-3282

Black Basta Ransomware Removal & Security Guide

Heloise Montini

Heloise Montini

Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.

Socials:

Laura Pompeu

Laura Pompeu

With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.

Socials:

Bogdan Glushko

Bogdan Glushko

CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.

Socials:

Black Basta Ransomware: How to Prevent & Recover
Heloise Montini

Heloise Montini

Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.

Socials:

Laura Pompeu

Laura Pompeu

With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.

Socials:

Bogdan Glushko

Bogdan Glushko

CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.

Socials:

I think there's an issue with my storage device, but I'm not sure Start a free evaluation →

I need help getting my data back right now Call now (800) 972-3282

First seen in April 2022, Black Basta ransomware is a Ransomware as a Service (RaaS) whose hacker group uses double-extortion tactics. The attackers target their victims rather than use the “spray-and-pray” tactics. Despite their attack techniques, the Black Basta group was responsible for 101 attacks during the second semester of 2022.

The Black Basta group is a Russian-speaking hacker group, counting more than 500 victims until May 2024, with US-based businesses being their main target. With the double-extortion tactic, the cybercriminals not only encrypt the data but also steal it and threaten to leak it on a dark web website. In May 2024, the group started focusing and accelerated its attacks on healthcare organizations.

What kind of malware is Black Basta?

Black Basta is a Ransomware as a Service (RaaS) that steals data, deletes Shadow Copies backup, and encrypts the files. Then they leave a ransom note demanding payment in exchange for the decryptor and not to leak the data.

The Black Bast ransomware uses common tools such as Qakbot, SystemBC, Mimikatz, CobaltStrike, and Rclone. It is written in C++ and can affect both Windows and Linux systems.

Black Basta ransomware overviews

Confirmed Name

  • Black Basta virus

Threat Type

  • Ransomware
  • Crypto Virus
  • Files locker

Encrypted Files Extension

  • .basta

Ransom Demanding Message

  • Readme.txt

Is There a Free Decryptor Available?

  • No, there’s no public decryption key for Black Basta ransomware

Detection Names

  • Avast Win32:Malware-gen
  • Emsisoft Generic.Ransom.Basta.A.88A395AA (B)
  • Kaspersky HEUR:Trojan-Ransom.Win32.Generic
  • Malwarebytes Ransom.FileCryptor
  • Microsoft Ransom:Win32/Basta.C
  • Sophos Mal/Generic-S

Symptoms

  • Cannot open files stored on your computer
  • New file extensions
  • A ransom demand message on your desktop
  • It changes the desktop wallpaper to an alert of the encryption

Ransomware family and type

  • Black Basta is a ransomware family
  • RaaS type

Distribution methods

  • Infected email attachments (phishing emails)
  • Torrent websites (infected links or files)
  • Malicious ads (malvertising)

Consequences

  • Locked files
  • Stolen passwords
  • Data breach
  • Additional malware installed

Prevention

  • Antivirus and anti-malware
  • Updated software
  • Updated operating system (OS)
  • Firewalls
  • Don’t open an email attachment from an unknown source
  • Do not download files from suspicious websites
  • Don’t click on ads unless you’re sure it’s safe
  • Only access websites from trustworthy sources

How did Black Basta infect your computer

The primary Black Basta infection is via phishing emails. The attackers pose as legit email campaigns and convince users to click their links or download the attachments.

example of phishing email

Spam email campaigns are emails in which hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine, and the threat actors can trigger ransomware at any time. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.

Black Basta encryption and ransom note

After stealing and encrypting your data, Black Basta adds a ransom note as a text file and changes your wallpaper to an alert about the encryption.

Black Basta Wallpaper and ransom note examples

The ransom note is simple and gives the details for communications.

Your data are stolen and encrypted

The data will be published on TOR website if you do not pay the ransom

You can contact us and decrypt one file for free on this TOR site

(you should download and install TOR browser first hxxps://torproject.org)

hxxps://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion/

How does Black Basta work

Black Bast has 8 phases during the encryption process.

1. Initial Access

The first phase is when the attackers find their way into your network. It’s likely to be through a phishing email.

2. Execution

After that, Black Basta uses PowerShell scripts to discover information about the network and to download additional scripts.

3. Defense evasion

In this phase, the ransomware deactivates the antimalware and other security software and tools.

4. Privilege Escalation

Black Basta exploits vulnerabilities to have privileged access and perform tasks and operations. Also, it delivers the Cobalt Strike beacon or other payloads.

5. Credential Access

Black Basta uses Mimikatz to dump credentials.

6. Lateral movement

The next phase is to access other devices connected to the network through the Remote Desktop Protocol (RDP).

7. Exfiltration

During this step, the attackers extract the data for the double-extortion tactic. It uses Rclone to exfiltrate data from compromised systems.

8. Impact

The final phase is to encrypt the data and change the desktop wallpaper.

Prevent the Black Basta ransomware attack

We already mentioned several ways you can prevent Black Basta ransomware attacks. Here is a complete list of what to do to keep your data and business safe.

1. Use a cybersecurity solution

You can either have an IT team to guarantee your business security or hire a cybersecurity service.

Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and software.

2. Use strong passwords and apply multi-factor authentication

Always use strong and unique passwords for each account and only share them with necessary people. For example, if employees don’t require a website account or software for their work, they don’t need access. This can guarantee that only authorized personnel will access each company account.

You can use two-factor authentication or biometric unlock to ensure only authorized people can access folders, devices, or accounts.

3. Erase outdated and unused user accounts

Unused accounts are vulnerabilities that hackers can exploit. Deactivate and close unused accounts as well as those used by past employees.

4. Keep software updated

As mentioned, outdated software is a weak point. That’s because new updates can create protection against new types of malware, such as Black Basta.

5. Schedule regular backups

Keep at least three copies of your data, with at least one stored offline and off-site. This can guarantee that your data is always safe, even if you’re hit by a natural or human-made disaster (like ransomware).

Regular backups can prevent downtimes and ensure you never lose any sensitive data.

6. Have a recovery plan in hand

Data recovery plans are documents that serve as guides for what to do in case of a disaster. They can help you restore your business faster and more securely.

See how to create a data recovery plan with our in-depth guide.

How to handle the Black Basta ransomware attack

The first step to recover from the Black Basta attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack, you must gather every information you can about it, including:

  • Screenshots of the ransom note
  • Communications with Black Basta actors (if you have them)
  • Sample of an encrypted file

You must not delete the ransomware and keep all evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It uses the data on your infected system so authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

ransomware data recovery service

After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:

1. Contact your Incident Response Retainer

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

2. Identify the ransomware infection

You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Black Basta doesn’t have it yet.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service.

DO NOT PAY THE RANSOM. There’s no guarantee the Black Basta attackers will return the data after you pay them. The correct action is to contact local authorities and remove the ransomware. You can contact a ransomware recovery service for both removal and data recovery.

SalvageData experts can safely restore your files and guarantee Black Basta ransomware does not attack your network again. Contact our experts 24/7 for emergency recovery service or find a recovery center near you.

Share
array(2) { [0]=> int(44) [1]=> int(293) }

Related Services

Ransomware Recovery

We specialize in identifying and recovering data affected by ransomware attacks, ensuring rapid response and secure restoration of your systems when you need it most.

Backup

We help recover lost data from backup systems, ensuring that critical information is restored swiftly and securely to minimize operational downtime.

Data Recovery

We offer comprehensive data recovery solutions with a 97% success rate and a "no data, no charge" guarantee, ensuring secure and efficient recovery for all types of data loss scenarios.