Black Basta Team and double extortion ransomware attacks

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

In this article we present a profile of the ransomware operator Black Basta Team.


Black Basta Team: adversary profile

Black Basta Team has been an active ransomware operator since at least early 2022. Affiliates of the group distribute the eponymous ransomware in campaigns based on double extortion tactics.

After exfiltrating victims’ data and encrypting those in compromised systems, the attackers post the claim on a special portal.

Victims who are found to be uncooperative risk having their stolen data released on that same portal.


Black Basta Team’s arsenal and a possible free decryptor

An analysis conducted in the first few months of Black Basta Team’s operations showed that the adversary’s techniques, tactics, and procedures (TTP) had some points of contact with the Russian crime group Anunak (FIN7).

Overall, it had emerged that the infection chain had been initiated by emails distributing malicious documents, including .docx files with an exploit for the Windows Follina vulnerability (CVE-2022-30190). To scale privileges, the adversary exploited other Windows vulnerabilities, such as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278), and PrintNightmare (CVE-2021-34527).

exploit black_basta telsyThe opponents then employed several remote administration tools, along with others for proxy, lateral movement, and detection evasion. The ransomware was distributed in combo with the backdoor Qakbot, which was used to do manual reconnaissance in affected systems.

In August 2023, it was discovered that several adversaries from different backgrounds, including one of Black Basta Team’s affiliates, exploited Iranian ISP Cloudzy for network infrastructure. The company is suspected to be a front for its Tehran-based counterpart abrNOC-acts as a command-and-control (C2P) provider, providing virtual private servers based on the RDP protocol.

In February 2024, a new backdoor for macOS, called RustDoor, was discovered, likely linked to this adversary and another ransomware operator, called ALPHV Team. Finally, in January, security researchers created a decryptor of the Black Basta ransomware from a bug in the encryption routine.

The tool, made available for free, would allow the recovery of encrypted files from November 2022 to December 2023.

Some analysts have learned that the developers of the threat have since fixed the bug, preventing the use of this technique in the most recent attacks.


A vast and composite victimology

Between 2023 and 2024, Black Basta Team affected more than a hundred companies operating in all production sectors globally.

In Italy, its known victims are companies active in the industrial manufacturing, energy, technology, logistics and telecommunications sectors.

Among the alleged excellent victims are Hyundai Motor Europe and the Swiss-Swedish multinational electrical engineering company ABB.

ransomware ABB HYUNDAI black basta telsyIn early February 2024, news sources reported on a ransomware attack signed Black Basta Team against the European division of the South Korean automaker Hyundai Motor Company.

According to these sources, the offensive was reportedly launched in early January, resulting in the exfiltration of 3 TB of data.

Although it is not known what data was stolen, the names of the folders published as evidence of the compromise would refer to various corporate departments, including legal, sales, human resources, accounting, IT and management. Indeed, in January the company reportedly claimed to be investigating a case in which an unauthorized third party had gained access to a limited portion of its network.

However, the claim would never appear on the adversary’s website. Rather, the supposed attack on ABB dates back to May 2023.

A well-known technology news site reported it, and the company issued a statement in which it claimed to have detected a security incident that directly affected some of its sites and systems. Even then, no claim appeared on the ransomware operator’s leak site.

The evidence that emerged in this analysis was produced thanks to TS-Intelligence platform and the specialists of TS-WAY, a highly-specialized working group now part of Telsy and the TIM Group.


Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.


TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.



TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.


Learn more about TS-WAY’s services.