Black Basta Ransomware Attack Detection

The Black Basta ransomware group emerged in the cyber threat arena in April 2022. Although the hacking collective can be considered relatively new to the cyber offensive domain, they have already gained a notorious reputation for rapidly evolving its adversary toolkit and adapting more sophisticated tools. Cybersecurity researchers tie the latest activity of Black Basta ransomware operators to the FIN7 russia-linked hacking group based on the use of novel defense impairment tools that belong to the offensive capabilities of the latter.

Detect Black Basta’s Latest Attacks

With the relatively new Black Basta ransomware group advancing its arsenal and enriching it with novel custom tools and techniques, cybersecurity experts should be timely equipped with relevant defensive capabilities to thwart ransomware attacks of such scale and impact. SOC Prime’s Detection as Code platform has recently released a new Sigma rule for Black Basta ransomware attack detection crafted by our prolific Threat Bounty developer Kyaw Pyiyt Htet (Mik0yan):

Suspicious FIN7’s Black Basta Ransomware Operation By Detection of Associated Events (via registry_key)

This Sigma rule detects the persistent registry run keys used by Black Basta ransomware operators in the latest attacks that have ties with the FIN7 hacking collective. The detection can be used across 22 SIEM, EDR, and XDR technologies and is aligned with the MITRE ATT&CK® framework addressing the Persistence tactic and the corresponding Boot or Logon Autostart Execution (T1547) technique.

The cybersecurity industry connects Threat Hunters and Detection Engineers who are eager to help one another and gain an advantage in the never-ending fight against adversaries. SOC Prime’s crowdsourcing initiative offers a brilliant opportunity to both aspiring minds and hard-battled experts to help industry peers and earn a bounty for contribution. Join Threat Bounty Program to earn recurring payouts while continuously mastering your Sigma and ATT&CK skills and making a difference in the field. 

Looking for ways to proactively defend against any Black Basta ransomware attacks? Click the Explore Detections button and instantly reach all Sigma rules for current and emerging threats related to the Black Basta ransomware operators. Drill down to the MITRE ATT&CK references, CTI links, relevant binaries, mitigations, and more cyber threat context.

Explore Detections

Black Basta Description: FIN7-Linked Ransomware Attacks

Black Basta actors have been conquering the cyber threat arena for over half a year, however, their affiliations with other ransomware maintainers have still remained under question for cyber defenders. The group has been rapidly evolving its offensive capabilities experimenting with a wide range of TTPs. Black Basta uses privilege escalation techniques by exploiting a set of known vulnerabilities, including PrintNightmare and ZeroLogon, has multiple RATs in its offensive toolkit, and applies a set of adversary methods for lateral movement. 

In early June 2022, cybersecurity researchers found traces of their collaboration with QBot aka Qakbot to apply the infamous backdoor for lateral movement and further deployment of Cobalt Strike beacons on the compromised machines.

SentinelLabs researchers have recently analyzed TTPs of Black Basta ransomware operators and discovered new adversary tools and techniques that can be attributed to a russia-backed hacking collective tracked as FIN7 aka Carbanak group based on the name of the malware they applied in their malicious campaigns. 

Leveraging a novel defense impairment tool developed by FIN7 threat actors has enabled cybersecurity researchers to establish a connection between two hacking collectives. In addition, the use of a set of custom tools and malicious samples in the latest Black Basta ransomware operations, including WindefCheck.exe and BIRDDOG backdoor aka SocksBot that belong to the FIN7 adversary toolkit reveals further ties between adversaries.

With a rapidly growing number of ransomware attacks, proactive detection is key to strengthening the organization’s cybersecurity posture. Obtain 650+ Sigma rules to detect current and emerging ransomware attacks and always stay one step ahead of adversaries.  Reach 30+ rules for free or gain the entire detection stack with On Demand at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts