Black Basta ransomware: what MSPs need to know

| By:
Bryson Medlock

Your primary focus is always helping your clients manage modern cyberthreats. One such threat that has been making headlines recently is Black Basta ransomware. 

What makes Black Basta ransomware unique is its association with the notorious Black Basta group, a cybercriminal organization responsible for numerous high-profile attacks. In this blog post, we'll do a Black Basta ransomware analysis, detail recent attack instances, and discuss how you can protect clients from this threat. 

What is Black Basta ransomware?

Black Basta ransomware was first identified in early 2022. It’s known for its double extortion tactic, which involves encrypting the victim's files, stealing sensitive data, and threatening to publish it if the victim doesn’t pay a ransom. The ransomware is operated by a Russian-speaking threat group that has experience in ransomware attacks.

Cybercrime experts speculate that Black Basta is an offshoot of the Russian-speaking ransomware-as-a-service group Conti,  or that it is connected to other Russian-speaking cybercriminals. Black Basta shares similar tactics, techniques, and procedures (TTPs) with other ransomware groups, such as BlackMatter, reinforcing the idea that the group is highly experienced.

Black Basta ransomware spreads through phishing emails and exploits software vulnerabilities.  Once it infects a system, it deletes all Volume Shadow Copies, which are backup copies of files on the system. The desktop wallpaper is replaced with a JPG image, and the encrypted files are stored as an ICO file, which is an image file format used for icons in Windows operating systems.

Unlike other ransomware families, Black Basta doesn't skip files with specific extensions. However, the system isn't disabled if critical folders aren't encrypted.

Recent Black Basta ransomware attacks

In recent years, the Black Basta ransomware group has been responsible for several high-profile attacks, targeting companies across several industries. Here are some Black Basta victims list of their recent ransomware attacks.


The Black Basta ransomware group launched a ransomware attack against Capita, a UK-based outsourcing company, in April 2023. Initially, the company downplayed the attack, calling it a "minor security incident." However, it later became clear that the attack involved the deployment of ransomware. 

The Black Basta group confirmed their responsibility for the attack by adding Capita to their list on their darknet website. Despite this, Capita was slow to disclose the full extent of the attack and the consequences. As of April 2023, the company had only acknowledged a "minor leak" and denied any claims of data leaks, despite evidence to the contrary in data samples published by the hackers.

American Dental Association

The American Dental Association (ADA) suffered a cyberattack in April 2022, with the Black Basta ransomware group claiming responsibility for the distributed denial-of-service (DDoS) attacks. The group claimed to have stolen around 9GB of data, with approximately 2.8GB leaked online.

The leaked data included sensitive information such as W2 forms, NDAs, accounting spreadsheets, and information on ADA members. This kind of data leak can be particularly harmful to small dental practices, which often lack dedicated IT personnel and may not have the resources to fully secure their networks.


On July 16, 2022, the Black Basta ransomware group added Knauf to its list of victims, confirming earlier suspicions of threat actor involvement. The group later shared 20% of the stolen data, which included user information, sensitive employee data, ID scans, and product documents. This cyberattack caused significant disruption to Knauf's business operations, forcing the company to shut down all IT systems to contain the incident. 

Tips for protecting your clients against Black Basta ransomware

As Black Basta and other ransomware groups continue to target businesses and organizations worldwide, it’s vital to take measures to protect your clients against these threats. Here are some tips:

  1. Keep your systems up-to-date: To ensure protection against known vulnerabilities, regularly update your operating systems, software, and security applications to protect yourself against known vulnerabilities and potential cyber threats.
  2. Use multi-factor authentication (MFA): Protect systems and data by implementing MFA wherever possible. To gain access to a system or application, users are typically required to provide two or more forms of authentication, such as a password and a biometric factor.
  3. Train employees: Teach end users to recognize phishing emails and other common tactics used by ransomware groups. ConnectWise has several options to help MSPs stay ahead of the landscape, including our cybersecurity glossary, cybersecurity center, and threat reports.
  4. Backup your data: Store your data regularly off-site, such as on an external hard drive kept in a different location or in a secure cloud storage service like Google Drive or Microsoft OneDrive. It allows you to restore your data if your computer is attacked by ransomware.
  5. Use a reputable cybersecurity solution: Consider working with a solutions provider with robust cybersecurity service offerings to help you identify and mitigate potential risks.

It's important to take these steps to protect your clients and their sensitive information from the impact of ransomware attacks. Implementing these best practices will significantly reduce the likelihood of an attack and minimize the potential damage if one does occur.

Remember, cybercriminals are constantly evolving their tactics, so stay vigilant in your cybersecurity efforts.

Safeguard your data from Black Basta ransomware

As ransomware attacks and other malware continue to pose significant threats to businesses, it's important to stay informed and take proactive steps to protect your organization and clients against threats. 

ConnectWise offers a range of solutions to help secure your systems and data. Learn more about our Security Information & Event Management (SIEM) solutions or watch a live demo of our cybersecurity suite today. Don't let cybercriminals take advantage of your business—take action now to stay secure.


A Virtual Private Network (VPN) primarily encrypts your internet connection and helps protect your online privacy, but it may not specifically protect you from ransomware attacks like Black Basta. Ransomware typically enters a system through other means, such as email attachments, malicious websites, or vulnerabilities in software. So, while a VPN can add a layer of security, it is not a comprehensive solution to prevent ransomware attacks.

Black Basta ransomware can encrypt various types of data on infected systems, including documents, images, videos, audio files, databases, and more. Black Basta ransomware can potentially encrypt any file or data that is accessible from the infected system.

In some cases, recovering encrypted files from Black Basta ransomware may be possible without paying the ransom. However, it depends on various factors, such as the encryption method used, the availability of backups, and the extent of the damage. 

It's always recommended to consult with a reputable cybersecurity professional or incident response team to assess the situation and explore potential recovery options.

Using a public Wi-Fi network to download security updates for Black Basta ransomware protection is not recommended. Public Wi-Fi networks can be insecure and may expose your device to potential threats, including ransomware attacks. 

It's best to use a secured and trusted network, such as your home or office network, to download and install security updates to ensure your device's and data's safety.

While having an antivirus program is an essential component of a comprehensive cybersecurity strategy, it may not be sufficient to prevent all ransomware attacks, including those by Black Basta. Ransomware attacks often use sophisticated techniques and may evade detection by traditional antivirus programs. 

It's important to use multiple security measures, such as regular software updates, employee training, backups, and other cybersecurity best practices, in addition to using antivirus software.

To protect against Black Basta ransomware and other evolving threats, it's recommended to update your security software, including antivirus programs and other security tools, as frequently as possible. This includes applying updates and patches to your operating system, web browsers, and other software with vulnerabilities that ransomware attacks could exploit.

As Black Basta ransomware attacks a file, it encrypts the file in different ways based on its size. Full encryption attacks use the ChaCha20 algorithm, which is a type of symmetric encryption algorithm designed to offer high levels of security and performance on various devices. 

Also, the ransomware encrypts the key and nonce with the RSA public key, which is a widely used public key encryption algorithm that uses two keys - a public key and a private key. This ransomware uses a nonce, which is a random or pseudo-random value used only once in cryptographic communication to prevent replay attacks.

During a partial encryption attack, the ransomware encrypts only a portion of the file. It's important to note that the ransomware changes the extension of the encrypted files to .basta in both full and partial encryption attacks.

It's unlikely that data recovery software will be able to recover files encrypted by the Black Basta ransomware. The encryption used by Black Basta is typically powerful, and there is no known method for decrypting files without the decryption key, which the attackers hold. 

Even if you can remove the ransomware from your system, the encrypted files will remain unusable without the key. The best defense against ransomware attacks like Black Basta is to have a solid backup strategy in place to restore your files from a backup if necessary.

Current reports and research suggest that Black Basta ransomware primarily targets Windows-based systems. However, developers can expand their targets to other operating systems with new variants and updates. Thus, it's important for all users to take precautions and implement cybersecurity measures to protect their systems against all cyberthreats.