Black Basta Ransomware: Threat Actor Profile
Black Basta emerged in 2022 as a credible heir to Conti's intrusion tradecraft, pulling in more than $100M before a 2025 chat leak exposed its inner workings and fractured the brand. A full threat-actor profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Black Basta emerged in 2022 as a credible heir to Conti-style intrusion tradecraft: heavy use of initial access, discovery, localization, exfiltration, and rapid encryption. Reuters reported the group had pulled in more than $100 million since emergence.
Black Basta: at a glance
- Aliases: Black Basta, Basta (widely assessed as a Conti offshoot)
- Country / affiliation: Russian-speaking criminal ecosystem
- Assessed status (as of July 2026): Fragmented; successors active
- Primary objectives: Double extortion and ransomware monetization
- Financial destruction / gain: >$100 million in ransom proceeds since emergence, per Reuters
- Type: ransomware-as-a-service (RaaS) (Conti-lineage double extortion)
Who is Black Basta?
By 2025 the Black Basta chat leak exposed the inner workings of the operation, and by 2026 vendor reporting increasingly described the brand as collapsed or diminished — even as its tradecraft and alumni persisted in successor activity. It is frequently assessed as a Conti offshoot.
Aliases and attribution
Black Basta is widely assessed as a Conti-lineage threat actor within the Russian-speaking cybercrime ecosystem, sharing personnel and tradecraft. The 2025 chat leak — echoing the earlier Conti leaks — provided rare insight into its structure and, like those leaks, accelerated the brand's decline while its operators dispersed into other crews.
Financial impact and damage
Reuters put Black Basta's proceeds above $100 million since 2022, with strong victim counts across healthcare, manufacturing, and critical infrastructure. Public accounting is less clean than for LockBit or Conti, but a 2024 CISA advisory documented its focus on critical-infrastructure targets, and its overall footprint places it firmly among the era's more damaging ransomware brands.
Black Basta timeline
- 2022: Group emerges, quickly reaching top-tier RaaS status
- 2023: Reuters reports $100M+ in proceeds
- 2024: CISA advisory highlights critical-infrastructure focus
- 2025: Internal chats leak, exposing operations
- 2026: Brand declines; tradecraft persists in successor activity
Notable attacks and campaigns
Black Basta favored initial access via commodity loaders and social-engineering campaigns (including a wave of email-bombing plus fake IT-support calls). It could encrypt in Safe Mode to evade defenses. The 2025 chat leak revealed operational details, internal disputes, and targeting decisions, hastening the brand's fragmentation.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1059.001 — PowerShell: Black Basta used PowerShell for discovery and remote execution. Alert on PowerShell used for admin-share enumeration or remote execution from user workstations.
- T1543.003 — Windows Service: The group creates Windows services for persistence. Detect unusual service creation from temp paths or unsigned binaries.
- T1486 — Data Encrypted for Impact: Black Basta used ChaCha20 and even encrypted in Safe Mode. Alert on boot-mode changes, forced reboots into Safe Mode, and high-velocity file rewrites.
Detection and defense against Black Basta
Black Basta's Conti-derived kill chain relies on scripting, service persistence, and Safe Mode encryption:
- Alert on PowerShell used for admin-share enumeration or remote execution from user hosts.
- Detect unusual Windows-service creation from temp paths or unsigned binaries.
- Watch for forced reboots into Safe Mode — a Black Basta evasion technique.
- Train help desks against social-engineering (email-bombing plus fake IT-support call) intrusion patterns.
- Protect backups and correlate recovery-artifact deletion with pre-encryption admin actions.
The bottom line
Black Basta was one of the most capable Conti successors; its 2025 chat leak fractured the brand, but its alumni and tradecraft continue to surface in newer ransomware operations. See how Black Basta ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is Black Basta ransomware?
Black Basta is a Russian-speaking ransomware operation that emerged in 2022, widely assessed as a Conti offshoot, known for double-extortion attacks on healthcare, manufacturing, and critical infrastructure.
How much has Black Basta made?
Reuters reported that Black Basta pulled in more than $100 million in ransom proceeds since its 2022 emergence.
What was the Black Basta chat leak?
In 2025, internal chat logs from Black Basta leaked publicly, exposing the group's operations, disputes, and targeting decisions — similar to the earlier Conti leaks — and accelerating the brand's decline.
Is Black Basta still active?
The brand is fragmented and diminished after the 2025 leak, but its operators and tradecraft persist in successor ransomware activity.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: