In February 2025, the cybersecurity community witnessed an unprecedented leak that exposed the internal operations of Black Basta.

On February 11, 2025, a Russian speaking actor using the Telegram handle @ExploitWhispers [1], leaked internal chat logs of Black Basta Ransomware-as-a-Service (RaaS) members [2]. These communications, spanning from September 2023 to September 2024, provide an insider look on the group's operational tactics.

Les échanges internes au groupe Black Basta divulgués la semaine dernière offrent une nouvelle opportunité d’enquêter sur l’un de ses leaders : tramp. Il pourrait avoir été arrêté en Arménie en juin 2024, avant d’être relâché.

Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently.

In addition to the new backConnect malware developed by Qbot operators, research has emerged tying zloader[4] activity to that of the BlackBasta ransomware operation. It is highly likely this new side loading backConnect malware has been or is going to be utilized to further ransomware attacks.

Cyber criminals claim to have successfully attacked Medion, a distributor of electronic products.

BT Group (formerly British Telecom)'s Conferencing division shut down some of its servers following a Black Basta ransomware attack.

ReliaQuest has observed a new Black Basta social engineering campaign targeting users via Microsoft Teams and malicious QR codes.

On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7.

The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network.

In mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant's initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster's victims, with the Black Basta data leak site purporting over 500 victims since inception.

Over the course of this blog post, Mandiant will detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster's transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.

Uncover an in-depth analysis of PikaBot, a malware loader used by Initial Access Brokers for network compromise and ransomware deployment.

Explore the rise of Black Basta as a top ransomware threat, their sophisticated tactics, notable attacks, and future implications for cybersecurity.

Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to malware like Qakbot followed by Black Basta ransomware deployment.

Des cybercriminels ont attaqué le vendeur de jouets Franz Carl Weber.

En décembre 2023, leteam sa a été victime d'une cyber-attaque. Un groupe de ransomware connu a pu accéder au réseau et crypter plusieurs disques. Grâce à une réaction rapide de l'équipe informatique et d'experts en sécurité externes, l'attaque a pu être rapidement contrée et les systèmes restaurés. L'analyse de l'incident a révélé une fuite de certaines données, mais celle-ci a été jugée à l'époque comme étant partiellement critique. Un monitoring a été mis en place pour surveiller une éventuelle publication de données.

Un groupe de hackers russe a volé près de 200 Go de données à une entreprise de placement suisse et les a divulgués sur le darknet.

La société TAG Aviation a été victime d'une attaque par ransomware. Les recherches de watson révèlent que Black Basta est à l'origine de cette attaque.

Rheinmetall confirmed on Monday that the Black Basta ransomware group was behind a cyberattack it detected last month.

No worries, outsourcer only handles government tech contracts worth billions