Black Basta | Threat Actor Profile

A Russian-speaking ransomware-as-a-service (RaaS) operation that emerged in April 2022 as a direct successor to the Conti ransomware group. Operating as a closed, invitation-only criminal ecosystem rather than an open affiliate marketplace, Black Basta rapidly became one of the highest-tempo ransomware operations in the world, accumulating over 600 victims across critical infrastructure sectors and collecting at least $107 million in confirmed Bitcoin ransom payments by late 2023. The group pioneered the combination of email bombing, Microsoft Teams-based vishing, and social engineering-driven initial access alongside traditional exploitation techniques. Black Basta collapsed in early 2025 following internal conflicts, operator fraud, and the leak of nearly 200,000 internal chat messages. Its leader, Russian national Oleg Nefedov, was placed on the EU Most Wanted list and issued an INTERPOL Red Notice in January 2026.

attributed origin Russia / CIS (Russian-speaking)

organization type Cybercriminal / RaaS Ecosystem (Closed)

active period April 2022 – January 2025 (collapsed Feb 2025)

primary motivation Financial (Ransomware / Double Extortion)

predecessor Conti (disbanded May 2022) / FIN7 (Carbanak) overlap

confirmed ransom collected $107M+ (blockchain-traced through late 2023)

total victims 600+ organizations (12/16 US critical infrastructure sectors)

alleged leader Oleg Nefedov (GG/Tramp/Trump/AA) — INTERPOL Red Notice

government advisories CISA AA24-131A (FBI/CISA/HHS/MS-ISAC)

Overview

Black Basta emerged in the ransomware landscape in April 2022, immediately after the Conti group's implosion following its public support for Russia's invasion of Ukraine and the subsequent leak of its internal communications by a Ukrainian researcher in February 2022. The group is widely assessed by Elliptic, Trend Micro, ReliaQuest, and other researchers to be a direct outgrowth of Conti, with blockchain analysis tracing millions of dollars flowing from Conti-linked wallets into Black Basta-associated addresses. The group also demonstrated clear operational links to FIN7 (Carbanak), with SentinelOne discovering that Black Basta used an EDR evasion tool containing a backdoor developed exclusively by FIN7 in 2018.

Unlike many RaaS operations that openly advertise on dark web forums, Black Basta operated as a closed, invitation-only ecosystem. The group recruited selectively, favoring experienced operators with proven track records in ransomware or malware development. This closed structure contributed to its rapid operational maturity — Black Basta claimed nearly 100 victims in its first seven months. By May 2024, the FBI and CISA reported that Black Basta affiliates had impacted over 500 organizations across at least 12 of the 16 US critical infrastructure sectors. Approximately 35% of victims paid ransoms through late 2023.

The group's internal structure, revealed through the February 2025 chat leak, showed a hierarchical organization with defined roles: leadership (Nefedov as "GG/Tramp"), administrators ("Lapa" and "YY" handling support tasks), developers maintaining ransomware code and infrastructure, operators conducting intrusions, and external collaborators including QakBot and DarkGate developers. Infrastructure was managed through NGINX-based proxies, rotating VPS instances for command-and-control, and FTP servers for data staging. Internal communication was conducted via Matrix and Telegram. The group used Ansible playbooks to automate Cobalt Strike configurations and deployments, and dynamically generated C2 profiles using open-source tools.

Collapse and Aftermath

Black Basta's decline began in the summer of 2024 and accelerated through internal fractures. The leaked chat logs revealed multiple destabilizing factors: members attacking Russian targets (a cardinal rule violation for Russia-based cybercriminal groups), operators collecting ransom payments without providing working decryption keys (destroying the group's negotiating credibility), and internal power struggles driven by Nefedov's management style. The group's last known victim was recorded on January 11, 2025, and all three websites (data leak site, chat sites) went offline. On February 11, 2025, a disgruntled member using the handle "ExploitWhispers" leaked the group's internal Matrix chat logs — nearly 200,000 messages spanning September 2023 to September 2024 — citing anger over the group's targeting of Russian banks.

The collapse of the Black Basta brand did not eliminate the underlying threat. Trend Micro, ReliaQuest, and Barracuda all reported evidence that former Black Basta operators migrated to the CACTUS and SafePay ransomware groups, carrying over the same TTPs including email bombing and Teams-based vishing. ReliaQuest documented that Teams phishing attacks using Black Basta's techniques held steady after the collapse, with a significant spike in April 2025. The group's signature tactics continue to be employed under new brands.

Law Enforcement Actions

August 2025: Ukrainian police searched the residence of a "crypter" specialist suspected of helping Black Basta's malware evade antivirus detection. Evidence was seized.
January 15, 2026: Joint Ukrainian-German law enforcement operation raided homes of two suspected "hash crackers" in Lviv and Ivano-Frankivsk, Ukraine. Digital storage devices and cryptocurrency assets were seized.
January 2026: Germany's Federal Criminal Police (BKA) publicly identified Oleg Evgenievich Nefedov (35, Russian national) as the founder and leader of Black Basta. Nefedov was added to the EU Most Wanted list and an INTERPOL Red Notice was issued. The BKA stated that Nefedov decided targets, recruited members, assigned tasks, participated in ransom negotiations, managed proceeds, and distributed payments to members.
Nefedov's Background: Chat leak analysis revealed Nefedov was previously an active member of both REvil and Conti. Documents within the leaks alleged connections to high-ranking Russian politicians, the FSB, and GRU intelligence agencies, which he reportedly leveraged to protect operations and evade international justice. The group also relied on Media Land, a bulletproof hosting provider sanctioned by the US, UK, and Australia in November 2025.

Target Profile

Black Basta practiced "big game hunting," targeting large enterprises and critical infrastructure organizations with high revenue to maximize ransom payments. Operators expressed specific interest in targeting English-speaking "Five Eyes" countries. Like its Conti predecessor, Black Basta prohibited attacks on Russian and CIS-region targets — a rule whose violation by internal members directly contributed to the group's collapse.

Critical Infrastructure: Impacted at least 12 of 16 US critical infrastructure sectors as designated by CISA, including Healthcare and Public Health, Manufacturing, Energy, Transportation, Financial Services, and Government Facilities.
Healthcare: High-profile attacks on Ascension Health (May 2024, disrupting 142 hospitals across 19 states), demonstrating willingness to target healthcare despite internal debates about the risks of doing so.
Manufacturing & Industrial: Heavy targeting of manufacturing (highest victim count by sector in late 2024), including the 2023 attack on Swiss industrial giant ABB.
Geographic Focus: Primarily United States (heaviest concentration), Germany, United Kingdom, Canada, Switzerland, France, Netherlands, Italy, and Australia.
Notable Victims: Ascension Health, ABB (Swiss tech/industrial), Rheinmetall (German defense), Hyundai Europe, BT Group (British Telecom), Capita (UK government outsourcer), Toronto Public Library, Yellow Pages Canada, American Dental Association, and hundreds of other organizations across construction, real estate, financial services, and technology sectors.

Tactics, Techniques & Procedures

Black Basta's TTPs evolved significantly over its operational lifetime, particularly following the QakBot takedown (Operation Duckhunt, August 2023) which forced a pivot to social engineering-heavy initial access methods. The following reflects documented techniques from CISA Advisory AA24-131A, Kroll, Trend Micro, Sophos MDR, ReliaQuest, Microsoft, and Rapid7 reporting.

mitre id	technique	description
T1566	Phishing (Spearphishing / Email Bombing)	Primary initial access vector throughout the group's lifecycle. Early campaigns used spearphishing with malicious attachments (macro-enabled Office docs, ISO+LNK droppers, .docx exploiting CVE-2022-30190/Follina). From late 2024, evolved to massive email bombing campaigns that flood victims' inboxes with hundreds of spam messages, followed by social engineering contact via Microsoft Teams or phone calls where attackers impersonate IT helpdesk staff. The email bombing creates the pretext for the fake "support" call.
T1598	Phishing for Information (Teams Vishing)	Black Basta's signature innovation. After email bombing, attackers contact victims via Microsoft Teams from attacker-controlled tenants (often onmicrosoft.com domains or breached legitimate domains) impersonating IT support. Victims are persuaded to grant remote access via Quick Assist, AnyDesk, or other RMM tools. In advanced variations, attackers bypass MFA using QR codes sent over Teams. Sophos MDR tracked this as STAC5777. Microsoft documented the tactic under Storm-1811. ReliaQuest reported this technique persisted well beyond Black Basta's collapse, with 50% of observed Teams phishing attacks originating from onmicrosoft.com domains.
T1190	Exploit Public-Facing Application	Exploited a wide range of known vulnerabilities for initial access and privilege escalation. Chat logs referenced 62 CVEs. Key exploited vulnerabilities include ConnectWise ScreenConnect (CVE-2024-1709, CVSS 10.0), Microsoft Exchange ProxyShell/ProxyNotShell (CVE-2021-34473, CVE-2022-41040), Fortinet FortiOS (CVE-2022-40684), Palo Alto PAN-OS (CVE-2024-3400), Citrix ADC/Gateway (CVE-2019-19781), and VMware ESXi (CVE-2021-21974).
T1068	Exploitation for Privilege Escalation	Exploited ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278/CVE-2021-42287), PrintNightmare (CVE-2021-34527), and Windows Error Reporting Service (CVE-2024-26169) for privilege escalation within compromised environments. PrintNightmare was used specifically to deliver Cobalt Strike beacons.
T1219	Remote Access Software	Heavily abused legitimate remote access tools including Quick Assist (Windows built-in), AnyDesk, AteraAgent, Splashtop, and ScreenConnect. Quick Assist abuse was central to the Teams vishing workflow: victims were persuaded to share their screen, after which attackers installed persistent access tools and malware. OneDriveStandaloneUpdater.exe was abused for DLL side-loading to deploy backdoors.
T1003	OS Credential Dumping	Used Mimikatz extensively for LSASS memory dumping, credential extraction, Kerberos ticket theft, and pass-the-hash attacks. Mimikatz was frequently renamed to evade detection. Extracted credentials were used for privilege escalation and lateral movement across domain-joined systems.
T1562.001	Impair Defenses: Disable or Modify Tools	Used PowerShell to disable Windows Defender and other security tools. Deployed the Backstab tool to terminate EDR processes. A custom EDR evasion tool linked to FIN7 was used to bypass endpoint detection. Safe Mode boot technique (similar to REvil's) was used to encrypt systems while security tools were inactive.
T1486	Data Encrypted for Impact	Windows and Linux/ESXi ransomware variants. Uses ChaCha20 encryption with RSA-4096 public key for key exchange. Encrypted files receive the .basta extension. The -bomb argument in later builds enabled automatic targeting of all connected machines. Linux variant specifically targeted /vmfs/volumes for VMware virtual machine encryption. Ransom notes directed victims to a .onion URL with a unique victim code, giving 10-12 days to pay before data publication on "Basta News."
T1567.002	Exfiltration to Cloud Storage	Used Rclone (primary) and WinSCP to exfiltrate stolen data to cloud storage providers, predominantly Mega. Data exfiltration occurred before encryption as part of the double extortion workflow. Automated via configuration of cloud storage destinations within Rclone.
T1572	Protocol Tunneling	Deployed SystemBC as a Tor proxy for encrypted C2 communications. SystemBC was preconfigured with C2 domains and created scheduled tasks for persistence. Also used Cobalt Strike beacons via SMB for lateral movement and C2, with base64-encoded PowerShell commands launching beacon services with randomized seven-character names.
T1490	Inhibit System Recovery	Deleted Volume Shadow Copies via vssadmin to prevent file recovery. Combined with Safe Mode encryption to bypass security tools during the encryption phase. Targeted and destroyed backups on connected storage to maximize pressure on victims to pay.

Known Campaigns

Rapid Emergence & First 100 Victims APR – NOV 2022

Black Basta launched in April 2022 and immediately demonstrated the operational maturity inherited from Conti. Within seven months, the group claimed nearly 100 victims, exclusively targeting US-based organizations. Early campaigns relied on QakBot infections delivered via spearphishing for initial access, with Cobalt Strike deployment and rapid lateral movement to domain-wide encryption. The group's data leak site "Basta News" was operational from the start, establishing double extortion as a core tactic.

ABB (Swiss Industrial Giant) MAY 2023

Attacked ABB, a major Swiss-Swedish multinational technology and industrial automation company with approximately 105,000 employees. The attack impacted the company's Windows Active Directory, disrupting operations across multiple facilities and affecting global supply chains. ABB confirmed the attack involved data exfiltration, though the ransom payment status was not disclosed.

Capita (UK Government Outsourcer) MAR 2023

Breached Capita, one of the UK's largest outsourcing companies providing services to the British government, NHS, and military. The attack disrupted services for multiple government clients and resulted in the exfiltration of sensitive data. Capita estimated the attack cost approximately £25 million in remediation, recovery, and associated expenses.

Ascension Health — 142 Hospitals Disrupted MAY 2024

Black Basta's most consequential and ultimately self-destructive attack. The group compromised Ascension Health, a Catholic healthcare system operating 140+ hospitals and 40 senior care facilities across 19 states and Washington, DC. Attackers gained access credentials for 14 employees around November 2023, spent approximately six months in the network, exfiltrated 1.5 terabytes of data, and deployed version 4.0 of their ransomware on May 8, 2024, encrypting 12,000 endpoints using Safe Mode bypass techniques. The attack forced Ascension to deactivate electronic health records for weeks, cancel non-emergency procedures, and divert ambulances. Nearly 5.6 million patients and employees were notified of potential data compromise. Leaked chat logs revealed internal debates about the ethics of the attack, with leader GG ultimately declaring hospitals off-limits going forward. The attack triggered a joint CISA/FBI/HHS/MS-ISAC advisory (AA24-131A) and accelerated internal plans to rebrand. Tinker, the negotiator, had expected to extract $100 million or more based on Change Healthcare's reported $22 million payment to BlackCat.

Email Bombing & Teams Vishing Campaign MAY 2024 – JAN 2025

Beginning in mid-2024, Black Basta introduced its signature social engineering workflow: massive email bombing followed by Microsoft Teams calls or phone calls impersonating IT helpdesk staff. Victims overwhelmed by spam were persuaded to grant remote access via Quick Assist. This technique, documented by ReliaQuest, Sophos MDR, Microsoft, and Rapid7, proved highly effective against organizations with external Teams communication enabled. Attackers deployed DarkGate, BackConnect malware (QBACKCONNECT, linked to QakBot artifacts), and custom payloads through the established remote access. This campaign continued through the group's final months and has been carried forward by successor operations including CACTUS and SafePay.

Internal Chat Leak & Collapse FEB 2025

On February 11, 2025, nearly 200,000 internal Matrix chat messages (September 2023 – September 2024) were leaked on Telegram by "ExploitWhispers," reportedly motivated by the group targeting Russian banks. The leak exposed organizational structure, key member identities (including Nefedov as leader), phishing templates, cryptocurrency addresses, victim credentials, tool discussions, and operational workflows. PRODAFT, BleepingComputer, Barracuda, and other researchers analyzed the data extensively. The leak mirrored the 2022 Conti leak that had originally destroyed Black Basta's predecessor. The Basta News leak site disappeared by the end of February 2025, marking the end of operations under the Black Basta name.

Tools & Malware

Black Basta Ransomware (Windows): ChaCha20 encryption with RSA-4096 key exchange. Multiple builds observed with evolving capabilities including Safe Mode encryption, -bomb argument for network-wide targeting, configurable file/folder exclusion lists. Encrypted files receive the .basta extension. Desktop wallpaper changed to display ransom notice directing to .txt ransom note. Evolution traced through Hermes/Ryuk/Conti ransomware lineage.
Black Basta Ransomware (Linux/ESXi): Targets /vmfs/volumes for VMware virtual machine encryption. Includes -forcepath argument for targeting additional directories. Enables encryption of virtualized infrastructure running on ESXi hypervisors.
QakBot (Qbot): Primary initial access loader from 2022 through the August 2023 Operation Duckhunt takedown. Delivered via spearphishing, established persistence, provided C2 communication, and served as a delivery platform for Cobalt Strike, SystemBC, and other post-exploitation tools. QakBot developer "MG" had direct communication channels with Black Basta leadership.
BackConnect (QBACKCONNECT): Malware with artifacts suggesting QakBot lineage, used for persistent machine control and data exfiltration. Deployed through the Teams vishing / Quick Assist workflow in late 2024 and early 2025. Trend Micro reported this tool was shared between Black Basta and CACTUS operations.
DarkGate: Loader and RAT used as an alternative to QakBot following the takedown. Deployed in later campaigns via social engineering workflows for credential theft, VPN config extraction, and follow-on payload delivery.
Cobalt Strike: Core post-exploitation framework. Installed as services with randomized seven-character names via base64-encoded PowerShell commands. SMB Beacons used for lateral movement. Configurations and deployments automated via Ansible playbooks with dynamically generated C2 profiles.
SystemBC: Tor proxy and RAT preconfigured with C2 domains. Used for encrypted command-and-control tunneling, script deployment, and tool distribution. Created scheduled tasks for persistence. Identified by Kroll as a strong indicator of Black Basta intrusions.
Mimikatz: Used for LSASS credential dumping, Kerberos ticket extraction, and pass-the-hash attacks. Frequently renamed to evade security tools.
Rclone / WinSCP: Primary exfiltration tools. Rclone configured to upload stolen data to Mega cloud storage. WinSCP used as an alternative for secure file transfer during exfiltration.
Backstab: Tool used to terminate EDR processes by leveraging legitimate drivers. Part of Black Basta's defense evasion toolkit alongside the FIN7-linked custom EDR evasion tool.
Legitimate RMM Tools (Quick Assist, AnyDesk, AteraAgent, Splashtop, ScreenConnect): Abused for initial access and persistent remote control during social engineering campaigns. Quick Assist abuse was central to the Teams vishing workflow.

Indicators of Compromise

Black Basta's infrastructure is defunct, but its TTPs continue to be used by successor groups. IOCs are sourced from CISA Advisory AA24-131A, Kroll, Trend Micro, Sophos MDR, and the leaked chat logs.

behavioral indicators

technique Mass email bombing (hundreds of spam emails) followed within minutes by Microsoft Teams calls or phone calls from external tenants impersonating IT helpdesk

technique Quick Assist sessions initiated after external Teams contact — attacker gains screen sharing then full control

technique Teams phishing from onmicrosoft.com domains (50% of observed attacks) or breached legitimate organization domains (42%)

technique Cobalt Strike service creation with randomized 7-character alphanumeric names via %COMSPEC% base64-encoded PowerShell

technique OneDriveStandaloneUpdater.exe side-loading malicious winhttp.dll for persistent backdoor access

technique Rclone execution with outbound connections to Mega cloud storage — large volume data exfiltration

extension .basta — File extension appended to encrypted files

exploited vulnerabilities (from chat logs and CISA advisory)

cve CVE-2024-1709 — ConnectWise ScreenConnect authentication bypass (CVSS 10.0)

cve CVE-2024-3400 — Palo Alto PAN-OS GlobalProtect command injection (CVSS 10.0)

cve CVE-2024-26169 — Windows Error Reporting Service privilege escalation

cve CVE-2022-30190 — Microsoft MSDT "Follina" RCE (early campaign delivery)

cve CVE-2021-34473 — Microsoft Exchange ProxyShell

cve CVE-2022-41040 — Microsoft Exchange ProxyNotShell SSRF

cve CVE-2022-40684 — Fortinet FortiOS authentication bypass

cve CVE-2020-1472 — ZeroLogon (Netlogon privilege escalation)

cve CVE-2021-42278 / CVE-2021-42287 — NoPac (Active Directory privilege escalation)

cve CVE-2021-34527 — PrintNightmare (Windows Print Spooler RCE)

cve CVE-2021-21974 — VMware ESXi OpenSLP heap-overflow

cve CVE-2019-19781 — Citrix ADC/Gateway directory traversal

Mitigation & Defense

Although Black Basta is defunct, its signature TTPs — particularly email bombing combined with Teams vishing — continue to be used by successor groups. The following recommendations address both the group's historical techniques and its enduring legacy.

Restrict external Microsoft Teams communications: The single most impactful defense against Black Basta-style attacks. Configure Microsoft 365 to block or restrict Teams calls and messages from external tenants unless required for specific business relationships. Implement allowlists for trusted partner domains rather than permitting all external communication by default.
Lock down remote assistance tools: Disable Quick Assist and other remote access tools unless specifically used by the organization's helpdesk. Implement approval workflows for remote assistance sessions. Monitor for anomalous Quick Assist launches, particularly those following external Teams contact or email bombing events. Maintain allowlists for authorized RMM tools and block unauthorized alternatives.
Train users to recognize email bombing and vishing: Black Basta's workflow relies on users being overwhelmed by spam and then tricked by a phone call or Teams message offering "help." Train employees that a sudden flood of emails followed by an unsolicited IT support contact is a strong indicator of attack. Establish clear procedures for verifying IT support contacts through internal channels.
Patch aggressively across the CVE list: Black Basta's chat logs referenced 62 CVEs. Prioritize patching for ConnectWise ScreenConnect (CVE-2024-1709), Palo Alto PAN-OS (CVE-2024-3400), Fortinet FortiOS (CVE-2022-40684), Microsoft Exchange (ProxyShell/ProxyNotShell), and Windows privilege escalation vulnerabilities (ZeroLogon, PrintNightmare, NoPac). Implement vulnerability management with SLAs for critical internet-facing systems.
Detect credential dumping and lateral movement: Monitor for Mimikatz indicators including LSASS access patterns, renamed Mimikatz binaries, pass-the-hash activity, and Kerberos ticket manipulation. Alert on Cobalt Strike beacon behaviors including service creation with randomized names and base64-encoded PowerShell execution. Monitor for PsExec, BITSAdmin, and SMB-based lateral movement.
Monitor for data exfiltration: Detect Rclone execution and large outbound data transfers to cloud storage providers (especially Mega). Implement egress filtering and proxy enforcement. Alert on WinSCP connections to unknown external hosts. Monitor for anomalous bulk file access patterns preceding exfiltration.
Deploy immutable, offline backups: Black Basta deletes Volume Shadow Copies and targets connected backup storage. Ensure backups are immutable or stored fully offline and air-gapped. Test restoration procedures regularly. Implement the 3-2-1-1-0 backup strategy (3 copies, 2 media types, 1 offsite, 1 offline, 0 errors in verification).
Monitor for DLL side-loading: Watch for OneDriveStandaloneUpdater.exe loading unexpected DLLs (winhttp.dll) and creating encrypted C2 connections. Alert on legitimate update processes exhibiting anomalous network behavior or loading unsigned libraries.

Legacy & Successor Groups

Black Basta follows the GandCrab → REvil → DarkSide → BlackMatter → Conti → Black Basta lineage of Russian-speaking RaaS operations that rebrand following exposure. Researchers have identified the following successor activity:

CACTUS: Active since March 2023, using similar TTPs to Black Basta and Conti. Trend Micro reported evidence of Black Basta members transitioning to CACTUS, with chat logs showing Nefedov (GG) paying a CACTUS member (MG). CACTUS was last seen active in March 2025.
SafePay: Emerged September 2024, gained momentum in 2025 with tools and tactics closely resembling Black Basta and Conti. Not a RaaS platform, likely absorbed only the strongest Black Basta operators. Still active as of early 2026.
3AM: ReliaQuest identified the 3AM ransomware group adopting Black Basta's signature phishing tactics within months of the collapse.
Persistent TTPs: Regardless of branding, the email bombing + Teams vishing workflow originated by Black Basta continues to be used by multiple threat actors. ReliaQuest documented steady Teams phishing attack volume through 2025, with no decrease following the group's dissolution.

Sources & Further Reading

— end of profile