Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

CISA - AA24-131A #StopRansomware: Black Basta

Low
Malwaretlp:whitemisp-galaxy:misp-attack-pattern="initial access - phishing [t1566]"misp-galaxy:misp-attack-pattern="defense evasion - impair defenses: disable or modify tools [t1562.001]"misp-galaxy:stix-2.1-attack-pattern="3cbb3d7b-4cae-4c7e-a682-e8b70e3f1ee4"misp-galaxy:stix-2.1-attack-pattern="2c373316-6ce5-4f43-9daf-02c94cb0c0a5"misp-galaxy:misp-attack-pattern="impact - inhibit system recovery [t1490]"misp-galaxy:stix-2.1-attack-pattern="f0a904f4-b3f5-4e42-b565-418dc6932d44"misp-galaxy:stix-2.1-attack-pattern="fc5b8a15-c3de-4c93-803a-ce92b76e54e7"misp-galaxy:misp-attack-pattern="initial access - valid accounts [t1078]"misp-galaxy:stix-2.1-attack-pattern="69d1635c-cd2b-4331-8a2c-8b66e98f45d8"misp-galaxy:misp-attack-pattern="impact - data encrypted for impact [t1486]"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:clear
Published: Fri May 10 2024 (05/10/2024, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: white

Description

CISA - AA24-131A #StopRansomware: Black Basta

AI-Powered Analysis

AILast updated: 06/27/2025, 11:36:19 UTC

Technical Analysis

The Black Basta ransomware is a malware threat characterized by its use of multiple attack techniques to gain initial access, evade defenses, and cause significant impact through data encryption and system recovery inhibition. Initial access methods include phishing campaigns (T1566) and the use of valid accounts (T1078), which allow attackers to infiltrate networks by tricking users or leveraging compromised credentials. Once inside, the malware employs defense evasion tactics such as disabling or modifying security tools (T1562.001) to avoid detection and prolong its presence. The ransomware then encrypts data to disrupt business operations (T1486) and inhibits system recovery mechanisms (T1490), preventing victims from restoring their systems without paying a ransom. Although no specific affected software versions or patches are noted, the threat is persistent and ongoing, as indicated by its perpetual lifetime tag. The severity is currently rated as low by the source, but the combination of attack patterns suggests a potentially impactful ransomware campaign. No known exploits in the wild or CVSS score are provided, but the tactics align with sophisticated ransomware operations that can cause substantial operational and financial damage.

Potential Impact

For European organizations, Black Basta ransomware poses a significant risk to operational continuity, data confidentiality, and integrity. The use of phishing and valid credentials as entry points means that organizations with large user bases or insufficient credential hygiene are particularly vulnerable. Once inside, the disabling of defense tools can lead to prolonged undetected presence, increasing the potential damage. The encryption of critical data and inhibition of recovery processes can halt business operations, leading to financial losses, reputational damage, and regulatory consequences, especially under GDPR requirements for data protection and breach notification. Sectors such as healthcare, finance, manufacturing, and critical infrastructure in Europe could face severe disruptions. The low severity rating may reflect current observed activity levels or limited scope, but the potential for escalation remains, especially if attackers refine their techniques or target high-value entities.

Mitigation Recommendations

European organizations should implement targeted measures beyond generic advice: 1) Enhance phishing resilience through continuous, context-specific user training and simulated phishing exercises tailored to local languages and cultural contexts. 2) Enforce strict credential management policies, including multi-factor authentication (MFA) on all remote and privileged accounts to mitigate risks from valid account misuse. 3) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting defense evasion behaviors such as tool tampering. 4) Regularly audit and harden security tools to prevent unauthorized modifications, including restricting administrative privileges and employing application whitelisting. 5) Maintain immutable, offline backups with tested recovery procedures to counteract data encryption and recovery inhibition tactics. 6) Implement network segmentation to limit lateral movement if initial access is gained. 7) Monitor for indicators of compromise related to Black Basta TTPs, even though none are currently listed, by leveraging threat intelligence sharing platforms. 8) Establish incident response plans that specifically address ransomware scenarios, including communication strategies compliant with European data protection laws.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
ItalyItaly
SpainSpain
NetherlandsNetherlands
BelgiumBelgium
PolandPoland
SwedenSweden
FinlandFinland
Need more detailed analysis?Get Pro

Technical Details

Uuid
a9f67dbb-ba26-4635-be1d-0780bc140897
Original Timestamp
1721396492

Indicators of Compromise

Comment

ValueDescriptionCopy
commentThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Some Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.
Imported from STIX header description

Url

ValueDescriptionCopy
urlfy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee.net
urlnuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday.net
urlfy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee.net

Domain

ValueDescriptionCopy
domainliteroved.ru
domainwinklen.ch
domainxkpal.1a4a64b6.dns.blocktoday.net
domainnuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills.com
domainblocktoday.net
domainxkpal.d6597fa.dns.blocktoday.net
domainmy.2a91c002002.588027fa.dns.realbumblebee.net
domaindns.artspathgroupe.net
domaindns.trailshop.net
domain0gpw.588027fa.dns.realbumblebee.net
domainartspathgroupe.net
domainthetrailbig.net
domainrasapool.net
domainspecialdrills.com
domainthesmartcloudusa.com
domaintomlawcenter.com
domainlimitedtoday.com
domainrealbumblebee.net
domainkekeoamigo.com
domainrecentbee.net
domainmyfinancialexperts.com
domainchildrensdolls.com
domainbuyblocknow.com
domainartspathgroup.net
domaintrailshop.net
domainwebnubee.com
domaininvestrealtydom.net
domainmagentoengineers.com
domainnebraska-lawyers.com
domainadslsdfdsfmo.world
domainconsulheartinc.com
domainbusinessprofessionalllc.com
domainotxcosmeticscare.com
domainotxcarecosmetics.com
domainartstrailman.com
domainontexcare.com
domainsecurecloudmanage.com
domainstartupbuss.com
domainoneblackwood.com
domainrecentbeelive.com
domaintrailcosolutions.com
domainonedogsclub.com
domaintrailcocompany.com
domainartstrailreviews.com
domainwipresolutions.com
domaintrackgroup.net
domainmodernbeem.net
domaincurrentbee.net
domainbuygreenstudio.com
domaintopglobaltv.com
domainusaglobalnews.com
domainstartupmartec.net
domainstartupbusiness24.net
domainjenshol.com
domainsimorten.com
domaininvestmentgblog.net
domainprotectionek.com
domaintechnologgies.com
domainunougn.com
domaingetfnewsolutions.com
domainwithclier.com
domainbluenetworking.net
domainerihudeg.com
domainseohomee.com
domainallcompanycenter.com
domaintaskthebox.net
domaingetfnewssolutions.com
domainsoftradar.net
domainbusinesforhome.com
domaingartenlofti.com
domainkarmafisker.com
domaincloudworldst.net
domainmonitor-websystem.net
domainprettyanimals.net
domainstartuptechnologyw.net
domaintrailgroupl.net
domainmonitorsystem.net
domainionoslaba.com
domainstockinvestlab.net
domainairbusco.net
domainjessvisser.com
domainmaluisepaul.com
domainmytrailinvest.net
domaingarbagemoval.com
domainconstrtionfirst.com
domainwardeli.com
domaincaspercan.com
domainmasterunix.net
domainbrendonline.com
domainseptcntr.com
domainunitedfrom.com
domainkolinileas.com
domainanimalsfast.net
domainauuditoe.com
domaininvestmentrealtyhp.net
domainclearsystemwo.net
domainaudsystemecll.net
domainwelausystem.net
domaintreeauwin.net
domainreelsysmoona.net
domaininvestmendvisor.net
domainwellsystemte.net
domainsteamteamdev.net
domainstartupbizaud.net
domainxserver.jp

Hash

ValueDescriptionCopy
hashb3fe23dd4701ed00d79c03043b0b952e
hash2642ec377c0cee3235571832cb472870
hash4c897334e6391e7a2fa3cbcbf773d5a4
hashb32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9
hash3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a
hash69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944
hash0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
hash42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78
hash17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20
hash3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35
hash37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004
hash3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a
hash462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7
hashf039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4
hashd73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d
hashacb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f
hashfafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08
hash90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7
hash7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59
hash62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087
hash0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a
hash360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98
hash1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779
hash86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737
hasha7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6
hash05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
hash5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43
hashd15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1
hash5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221
hash39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead
hash58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd
hash88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc
hashb6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24
hashf21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061
hash8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
hash034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79
hashd503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f
hashc26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0
hash819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a
hash4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a
hash3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6
hash808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9
hash3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
hashd3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e
hash1bf171b1f388691c3985df6fb6c3f0d1
hashfdb92fac37232790839163a3cae5f37372db7235
hash0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298
hash6441d7260944bcedc5958c5c8a05d16d
hash46257982840493eca90e051ff1749e7040895584
hash723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
hashb365faebaf416681b5f376c8aa4f4470
hash591d363928f0d5f4629196d60fd899469267da09
hashfff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f
hasha292fee8d8db83711e72c06d6f82562d
hash82f88c1af036181ee4e92a2f9338c152d1ff0c58
hashdf5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415
hashbc95f228b11fa3b4e91c30d98f9f3bff
hash25ce6c74a6f39289717522cad5eacdf5b9f4bae8
hash882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3
hashe83d6092439a90af2b4b1db2ad3a9c5a
hash4da6fef533b37a12ed1e357df66802de29c1ab5c
hash51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
hash0bf7bc20496143a9f028e77ab47b4698
hashaa54013aeb502b4a936331deb76a6411f1f1ade7
hash350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
hashafa27795c0c86b6afeb138d0fb09506b
hashd32e44f7e04a8c84e7159ed020dcf26b6e51416e
hash07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
hash59db7bd22d4ec503b768ece646205c27
hashff57cda4829978d8b6f7f1f31356f291b37acaa6
hashe28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
hashc115bbbdb1a61f8c553d74802bfd78fb
hash1f439569e3c1c14ea9f02235f8f45c49e2764160
hash9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
hash7688c1b7a1124c1cd9413f4b535b2f44
hash8ccac360e2ca37b2fa9f5fa81b22114fb8936120
hash96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
hash53fdeb923b1890d29b8f29da77995938
hasha996ccd0d58125bf299e89f4c03ff37afdab33fc
hashae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
hash3f400f30415941348af21d515a2fc6a3
hashbd0bf9c987288ca434221d7d81c54a47e913600a
hash5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
hash267d5c3137d313ce1a86c2f255a835e6
hashc7a37c0edeffd23777cca44f9b49076be1bd43e6
hash17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90

Ip

ValueDescriptionCopy
ip83.243.40.10
ip88.198.198.90
ip183.181.86.147
ip80.239.207.200
ip155.138.246.122
ip46.8.10.134
ip188.130.137.181
ip188.130.218.39
ip5.183.130.92
ip107.189.30.69
ip185.7.214.79
ip46.8.16.77
ip5.78.115.67
ip185.219.221.136
ip95.181.173.227
ip64.176.219.106
ip116.203.186.178
ip46.161.27.151
ip185.220.101.149
ip185.220.100.240

Ssdeep

ValueDescriptionCopy
ssdeep196608:puRTOvaeQyt37NKNGZH5c4Eo8qqBNoNdRn+ILwIjKek529:p4TheZaGZZc4Eoko0IcIRkA9
ssdeep24576:1p2gwjk6ikYhJ9lvGnYZvy48/V33ck7LnBAyldFu8hod/Qodly:1AgxkmvGnYWccjBAwFadRd
ssdeep24576:wjlZDq1Een/s9NUuKF+gEn7gKheviz6GYtVb9BXpV7wldFu8hod/Qodly:wjlreiUuKFS70A059/V7GFadRd
ssdeep12288:RcOlvT7Zom3rITxaVDrd5vUa69Ghj91nlQocyW7/P6E4kKjqnes9PBVW/g:RDJJDbcJ90jtH0bP6ELVne2
ssdeep24576:llm7yYs6kQ2WxeisU09E3b6E/IwU5jjpBAPy:B6YWxG9E3b6Nz5jjpBGy
ssdeep24576:zvA0H/qL9fu4c8JZHSE6biXLemW34Mi+4LKH:UHL9fu4hSLbiXLer4MD4WH
ssdeep12288:bO+sm75a7DI9Mv53VI/XfaUs442JbV24chSS1i2wZbDFMMWzVFq:rh75a7M9S3VYa4npY4cFM2MWhY
ssdeep24576:pyAo7FAIP03acBtXWKe25ep59MxQU08wHG3MJAQof1hB:Lo7ARBtmKe28MSU08wHaM6Qo1hB
ssdeep12288:lMJYSP5VV3VG7rYyPT+p/VYXMJ8oD536bGIqs7GBvw0QygfmHp:lMVj3IXYETQV1XD5VIZ7GOg1J
ssdeep12288:trkm8R9qXgmj3d7khtgfpedbKbiTuDZWhswtik5j2w+f:2Ujt7+twpedbKb1dWhse9K
ssdeep6144:OUjqtclKpiqKLICZM5cUq29shXs6u7ulx97Z52Gd:fqt4KoVkCm9oV
ssdeep12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:AzmoQqUiXw2s6yiVxR
ssdeep12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v
ssdeep12288:aEky5bwpy02iRaeXCP2CIcdoKAXMr+Mr+kJZ4:j02iRaeHPcdo18rTrf6

File

ValueDescriptionCopy
file723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
fileminipath.exe
fileUpdateReminder.exe
file51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
file350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
file07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
filee28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
file9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
filec:windowssystem32mrpy2bfa7.dll; 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
fileae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e; ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.bin
file3f400f30415941348af21d515a2fc6a3; 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
file17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.bin
fileAA24-131A.stix_.xml

Size in-bytes

ValueDescriptionCopy
size-in-bytes1499648
size-in-bytes209170
size-in-bytes556576
size-in-bytes576512

Text

ValueDescriptionCopy
textSTIX 1.1

Threat ID: 68367c0a182aa0cae2311df0

Added to database: 5/28/2025, 2:59:22 AM

Last enriched: 6/27/2025, 11:36:19 AM

Last updated: 9/28/2025, 10:33:24 AM

Views: 19

Related Threats

ThreatFox IOCs for 2025-09-29

Medium
MalwareTue Sep 30 2025

ThreatFox IOCs for 2025-09-28

Medium
MalwareMon Sep 29 2025

ThreatFox IOCs for 2025-09-27

Medium
MalwareSun Sep 28 2025

ThreatFox IOCs for 2025-09-26

Medium
MalwareSat Sep 27 2025

ThreatFox IOCs for 2025-09-25

Medium
MalwareFri Sep 26 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats