S1070: Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]
Analyst context for executives and security teams
Black Basta matters because ATT&CK describes it as C++ ransomware offered through a ransomware-as-a-service model with Windows and VMware ESXi variants and reported double-extortion operations. For leaders, this is not just an endpoint malware issue: ESXi involvement makes virtualization recovery, backup integrity, and business continuity central to readiness.
Executive priority
Prioritize Black Basta as a resilience and incident-decision scenario: can the organization detect suspicious execution and discovery before encryption, protect recovery options, and make evidence-based decisions during extortion pressure? Validate that ransomware readiness covers Windows estates, ESXi servers, sensitive-data exposure concerns, and executive communications for double-extortion events.
Technical view
ATT&CK provides no official detection text for S1070, so coverage should be validated through the related behaviors: command execution via PowerShell, Windows Command Shell, WMI, and Native API; discovery of services, systems, files, directories, and system information; registry and Windows service modification; masquerading and resource-name abuse; virtualization/sandbox evasion; recovery inhibition; shutdown or reboot; internal defacement; and data encryption for impact. SOC and IR teams should test whether telemetry links these behaviors into a ransomware progression rather than treating each event as isolated administration.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, cmd, WMI, service control, registry modification, and discovery commands
- Windows service creation/modification and service-name/display-name change logs
- Registry modification events, especially changes associated with persistence or defense impairment
- File and directory enumeration, large-scale file modification, and encryption-like activity on endpoints and servers
- ESXi host management logs, shell/command activity, VM datastore access, shutdown/reboot events, and recovery-impacting actions
Detection direction
- Because MITRE lists no official detection guidance, start with behavior-based analytics mapped to the related techniques rather than hash-only detection.
- Correlate discovery activity followed by service/registry changes, suspicious script or shell execution, and rapid file modification as a higher-priority ransomware pattern.
- Tune carefully for administrative false positives: WMI, PowerShell, service management, registry tools, and ESXi commands are legitimate in IT operations, so detections need asset role, user context, timing, and change-ticket context.
- Validate ESXi visibility explicitly; many organizations have stronger Windows endpoint logging than hypervisor logging, creating a material blind spot for ransomware variants that target virtualization infrastructure.
- Review whether security tools can inspect large or modified binaries, since the related Binary Padding behavior can undermine simple static or hash-based controls.
Mitigation priorities
- Strengthen backup and recovery resilience first: maintain tested, protected recovery paths for Windows and ESXi systems and monitor for recovery inhibition.
- Harden and monitor administrative execution paths including PowerShell, cmd, WMI, Windows services, registry modification, and ESXi management access.
- Reduce exposure to user-driven execution by reinforcing attachment/file handling controls and user reporting workflows for suspicious files and social engineering.
- Apply least privilege and administrative separation so service creation, registry modification, ESXi administration, and backup changes require appropriate authorization.
- Maintain ransomware incident response playbooks that cover double extortion, sensitive-data assessment, legal/compliance evidence preservation, executive communications, and restoration sequencing.
Analyst notes and limits
ATT&CK links Storm-1811 to Black Basta ransomware deployment and notes social-engineering mechanisms involving spam overload and fake help-desk interaction. That relationship supports validating help-desk, identity, and user-reporting processes as part of readiness, but the core S1070 object itself is malware-focused and does not provide a complete intrusion chain.
This take is limited to the supplied ATT&CK S1070 fields, external references, and relationships. MITRE provides no official detection text and no object-level tactics for Black Basta. Local conclusions about exposure, active exploitation, attribution, or detection coverage require environment-specific telemetry and incident evidence.
Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1490 | Inhibit System Recovery | Black Basta can delete shadow copies using vssadmin.exe.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022CitationTrend Micro Black Basta May 2022CitationAvertium Black Basta June 2022CitationNCC Group Black Basta June 2022CitationDeep Instinct Black Basta August 2022CitationPalo Alto Networks Black Basta August 2022CitationTrend Micro Black Basta Spotlight September 2022CitationTrend Micro Black Basta Spotlight September 2022CitationCheck Point Black Basta October 2022 |
| Enterprise | T1082 | System Information Discovery | Black Basta can collect system boot configuration and CPU information.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | The Black Basta dropper has been digitally signed with a certificate issued by Akeo Consulting for legitimate executables used for creating bootable USB drives.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Black Basta can make a random number of calls to the `kernel32.beep` function to hinder log analysis.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Black Basta has set the desktop wallpaper on victims' machines to display a ransom note.CitationMinerva Labs Black Basta May 2022CitationBlackBerry Black Basta May 2022CitationCyble Black Basta May 2022CitationTrend Micro Black Basta May 2022CitationAvertium Black Basta June 2022CitationNCC Group Black Basta June 2022CitationDeep Instinct Black Basta August 2022CitationPalo Alto Networks Black Basta August 2022CitationCheck Point Black Basta October 2022 |
| Enterprise | T1018 | Remote System Discovery | Black Basta can use LDAP queries to connect to AD and iterate over connected workstations.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1112 | Modify Registry | Black Basta has modified the Registry to enable itself to run in safe mode, to change the icons and file extensions for encrypted files, and to add the malware path for persistence.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022CitationTrend Micro Black Basta May 2022CitationNCC Group Black Basta June 2022CitationDeep Instinct Black Basta August 2022CitationPalo Alto Networks Black Basta August 2022 |
| Enterprise | T1083 | File and Directory Discovery | Black Basta can enumerate specific files for encryption.CitationCyble Black Basta May 2022CitationAvertium Black Basta June 2022CitationNCC Group Black Basta June 2022CitationUptycs Black Basta ESXi June 2022CitationDeep Instinct Black Basta August 2022CitationPalo Alto Networks Black Basta August 2022CitationTrend Micro Black Basta Spotlight September 2022CitationCheck Point Black Basta October 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.CitationMinerva Labs Black Basta May 2022CitationBlackBerry Black Basta May 2022CitationCyble Black Basta May 2022CitationNCC Group Black Basta June 2022CitationUptycs Black Basta ESXi June 2022CitationDeep Instinct Black Basta August 2022CitationPalo Alto Networks Black Basta August 2022CitationTrend Micro Black Basta Spotlight September 2022CitationCheck Point Black Basta October 2022 Black Basta has also encrypted files while the victim system is in safe mode, appending `.basta` upon completion.CitationTrend Micro Black Basta May 2022 |
| Enterprise | T1622 | Debugger Evasion | The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Black Basta has been downloaded and executed from malicious Excel files.CitationTrend Micro Black Basta May 2022CitationTrend Micro Black Basta Spotlight September 2022 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | The Black Basta binary can use `chmod` to gain full permissions to targeted files.CitationUptycs Black Basta ESXi June 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Black Basta can use `cmd.exe` to enable shadow copy deletion.CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1007 | System Service Discovery | Black Basta can check whether the service name `FAX` is present.CitationCyble Black Basta May 2022 |
| Enterprise | T1680 | Local Storage Discovery | Black Basta can enumerate volumes.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.CitationPalo Alto Networks Black Basta August 2022CitationCheck Point Black Basta October 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Black Basta has used PowerShell scripts for discovery and to execute files over the network.CitationTrend Micro Black Basta May 2022CitationTrend Micro Black Basta Spotlight September 2022CitationNCC Group Black Basta June 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Black Basta can create a new service to establish persistence.CitationMinerva Labs Black Basta May 2022CitationAvertium Black Basta June 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | Black Basta has used WMI to execute files over the network.CitationNCC Group Black Basta June 2022 |
| Enterprise | T1688 | Safe Mode Boot | Black Basta can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022CitationTrend Micro Black Basta May 2022CitationAvertium Black Basta June 2022CitationPalo Alto Networks Black Basta August 2022 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1106 | Native API | Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022CitationAvertium Black Basta June 2022CitationCheck Point Black Basta October 2022CitationTrend Micro Black Basta May 2022 |
| Enterprise | T1529 | System Shutdown/Reboot | Black Basta has used `ShellExecuteA` to shut down and restart the victim system.CitationTrend Micro Black Basta May 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | The Black Basta dropper has mimicked an application for creating USB bootable drivers.CitationCheck Point Black Basta October 2022 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | Black Basta will check for the presence of a hard-coded mutex `dsajdhas.0` before executing.CitationDeep Instinct Black Basta August 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Black Basta has established persistence by creating a new service named `FAX` after deleting the legitimate service by the same name.CitationMinerva Labs Black Basta May 2022CitationCyble Black Basta May 2022CitationTrend Micro Black Basta May 2022 |
Groups, software, and campaigns
G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 866178ff7606… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Networks Black Basta August 2022
Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
Open source URL -
[2]
Deep Instinct Black Basta August 2022
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
Open source URL -
[3]
Minerva Labs Black Basta May 2022
Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
Open source URL -
[4]
Avertium Black Basta June 2022
Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
Open source URL -
[5]
NCC Group Black Basta June 2022
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
Open source URL -
[6]
Cyble Black Basta May 2022
Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
Open source URL -
[7]
mitre-attack S1070Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.