Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

CISA - AA24-131A #StopRansomware: Black Basta

Low
Malwaretlp:whitemisp-galaxy:misp-attack-pattern="initial access - phishing [t1566]"misp-galaxy:misp-attack-pattern="defense evasion - impair defenses: disable or modify tools [t1562.001]"misp-galaxy:stix-2.1-attack-pattern="3cbb3d7b-4cae-4c7e-a682-e8b70e3f1ee4"misp-galaxy:stix-2.1-attack-pattern="2c373316-6ce5-4f43-9daf-02c94cb0c0a5"misp-galaxy:misp-attack-pattern="impact - inhibit system recovery [t1490]"misp-galaxy:stix-2.1-attack-pattern="f0a904f4-b3f5-4e42-b565-418dc6932d44"misp-galaxy:stix-2.1-attack-pattern="fc5b8a15-c3de-4c93-803a-ce92b76e54e7"misp-galaxy:misp-attack-pattern="initial access - valid accounts [t1078]"misp-galaxy:stix-2.1-attack-pattern="69d1635c-cd2b-4331-8a2c-8b66e98f45d8"misp-galaxy:misp-attack-pattern="impact - data encrypted for impact [t1486]"type:osintosint:lifetime="perpetual"osint:certainty="50"tlp:clear
Published: Fri May 10 2024 (05/10/2024, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: white

Description

CISA - AA24-131A #StopRansomware: Black Basta

AI-Powered Analysis

AILast updated: 06/27/2025, 11:36:19 UTC

Technical Analysis

The Black Basta ransomware is a malware threat characterized by its use of multiple attack techniques to gain initial access, evade defenses, and cause significant impact through data encryption and system recovery inhibition. Initial access methods include phishing campaigns (T1566) and the use of valid accounts (T1078), which allow attackers to infiltrate networks by tricking users or leveraging compromised credentials. Once inside, the malware employs defense evasion tactics such as disabling or modifying security tools (T1562.001) to avoid detection and prolong its presence. The ransomware then encrypts data to disrupt business operations (T1486) and inhibits system recovery mechanisms (T1490), preventing victims from restoring their systems without paying a ransom. Although no specific affected software versions or patches are noted, the threat is persistent and ongoing, as indicated by its perpetual lifetime tag. The severity is currently rated as low by the source, but the combination of attack patterns suggests a potentially impactful ransomware campaign. No known exploits in the wild or CVSS score are provided, but the tactics align with sophisticated ransomware operations that can cause substantial operational and financial damage.

Potential Impact

For European organizations, Black Basta ransomware poses a significant risk to operational continuity, data confidentiality, and integrity. The use of phishing and valid credentials as entry points means that organizations with large user bases or insufficient credential hygiene are particularly vulnerable. Once inside, the disabling of defense tools can lead to prolonged undetected presence, increasing the potential damage. The encryption of critical data and inhibition of recovery processes can halt business operations, leading to financial losses, reputational damage, and regulatory consequences, especially under GDPR requirements for data protection and breach notification. Sectors such as healthcare, finance, manufacturing, and critical infrastructure in Europe could face severe disruptions. The low severity rating may reflect current observed activity levels or limited scope, but the potential for escalation remains, especially if attackers refine their techniques or target high-value entities.

Mitigation Recommendations

European organizations should implement targeted measures beyond generic advice: 1) Enhance phishing resilience through continuous, context-specific user training and simulated phishing exercises tailored to local languages and cultural contexts. 2) Enforce strict credential management policies, including multi-factor authentication (MFA) on all remote and privileged accounts to mitigate risks from valid account misuse. 3) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting defense evasion behaviors such as tool tampering. 4) Regularly audit and harden security tools to prevent unauthorized modifications, including restricting administrative privileges and employing application whitelisting. 5) Maintain immutable, offline backups with tested recovery procedures to counteract data encryption and recovery inhibition tactics. 6) Implement network segmentation to limit lateral movement if initial access is gained. 7) Monitor for indicators of compromise related to Black Basta TTPs, even though none are currently listed, by leveraging threat intelligence sharing platforms. 8) Establish incident response plans that specifically address ransomware scenarios, including communication strategies compliant with European data protection laws.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
ItalyItaly
SpainSpain
NetherlandsNetherlands
BelgiumBelgium
PolandPoland
SwedenSweden
FinlandFinland
Need more detailed analysis?Get Pro

Technical Details

Uuid
a9f67dbb-ba26-4635-be1d-0780bc140897
Original Timestamp
1721396492

Indicators of Compromise

Comment

ValueDescriptionCopy
commentThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Some Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.
Imported from STIX header description

Url

ValueDescriptionCopy
urlfy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee.net
—
urlnuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday.net
—
urlfy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee.net
—

Domain

ValueDescriptionCopy
domainliteroved.ru
—
domainwinklen.ch
—
domainxkpal.1a4a64b6.dns.blocktoday.net
—
domainnuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills.com
—
domainblocktoday.net
—
domainxkpal.d6597fa.dns.blocktoday.net
—
domainmy.2a91c002002.588027fa.dns.realbumblebee.net
—
domaindns.artspathgroupe.net
—
domaindns.trailshop.net
—
domain0gpw.588027fa.dns.realbumblebee.net
—
domainartspathgroupe.net
—
domainthetrailbig.net
—
domainrasapool.net
—
domainspecialdrills.com
—
domainthesmartcloudusa.com
—
domaintomlawcenter.com
—
domainlimitedtoday.com
—
domainrealbumblebee.net
—
domainkekeoamigo.com
—
domainrecentbee.net
—
domainmyfinancialexperts.com
—
domainchildrensdolls.com
—
domainbuyblocknow.com
—
domainartspathgroup.net
—
domaintrailshop.net
—
domainwebnubee.com
—
domaininvestrealtydom.net
—
domainmagentoengineers.com
—
domainnebraska-lawyers.com
—
domainadslsdfdsfmo.world
—
domainconsulheartinc.com
—
domainbusinessprofessionalllc.com
—
domainotxcosmeticscare.com
—
domainotxcarecosmetics.com
—
domainartstrailman.com
—
domainontexcare.com
—
domainsecurecloudmanage.com
—
domainstartupbuss.com
—
domainoneblackwood.com
—
domainrecentbeelive.com
—
domaintrailcosolutions.com
—
domainonedogsclub.com
—
domaintrailcocompany.com
—
domainartstrailreviews.com
—
domainwipresolutions.com
—
domaintrackgroup.net
—
domainmodernbeem.net
—
domaincurrentbee.net
—
domainbuygreenstudio.com
—
domaintopglobaltv.com
—
domainusaglobalnews.com
—
domainstartupmartec.net
—
domainstartupbusiness24.net
—
domainjenshol.com
—
domainsimorten.com
—
domaininvestmentgblog.net
—
domainprotectionek.com
—
domaintechnologgies.com
—
domainunougn.com
—
domaingetfnewsolutions.com
—
domainwithclier.com
—
domainbluenetworking.net
—
domainerihudeg.com
—
domainseohomee.com
—
domainallcompanycenter.com
—
domaintaskthebox.net
—
domaingetfnewssolutions.com
—
domainsoftradar.net
—
domainbusinesforhome.com
—
domaingartenlofti.com
—
domainkarmafisker.com
—
domaincloudworldst.net
—
domainmonitor-websystem.net
—
domainprettyanimals.net
—
domainstartuptechnologyw.net
—
domaintrailgroupl.net
—
domainmonitorsystem.net
—
domainionoslaba.com
—
domainstockinvestlab.net
—
domainairbusco.net
—
domainjessvisser.com
—
domainmaluisepaul.com
—
domainmytrailinvest.net
—
domaingarbagemoval.com
—
domainconstrtionfirst.com
—
domainwardeli.com
—
domaincaspercan.com
—
domainmasterunix.net
—
domainbrendonline.com
—
domainseptcntr.com
—
domainunitedfrom.com
—
domainkolinileas.com
—
domainanimalsfast.net
—
domainauuditoe.com
—
domaininvestmentrealtyhp.net
—
domainclearsystemwo.net
—
domainaudsystemecll.net
—
domainwelausystem.net
—
domaintreeauwin.net
—
domainreelsysmoona.net
—
domaininvestmendvisor.net
—
domainwellsystemte.net
—
domainsteamteamdev.net
—
domainstartupbizaud.net
—
domainxserver.jp
—

Hash

ValueDescriptionCopy
hashb3fe23dd4701ed00d79c03043b0b952e
—
hash2642ec377c0cee3235571832cb472870
—
hash4c897334e6391e7a2fa3cbcbf773d5a4
—
hashb32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9
—
hash3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a
—
hash69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944
—
hash0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
—
hash42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78
—
hash17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20
—
hash3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35
—
hash37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004
—
hash3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a
—
hash462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7
—
hashf039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4
—
hashd73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d
—
hashacb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f
—
hashfafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08
—
hash90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7
—
hash7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59
—
hash62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087
—
hash0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a
—
hash360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98
—
hash1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779
—
hash86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737
—
hasha7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6
—
hash05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431
—
hash5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43
—
hashd15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1
—
hash5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221
—
hash39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead
—
hash58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd
—
hash88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc
—
hashb6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24
—
hashf21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061
—
hash8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
—
hash034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79
—
hashd503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f
—
hashc26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0
—
hash819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a
—
hash4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a
—
hash3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6
—
hash808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9
—
hash3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
—
hashd3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e
—
hash1bf171b1f388691c3985df6fb6c3f0d1
—
hashfdb92fac37232790839163a3cae5f37372db7235
—
hash0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298
—
hash6441d7260944bcedc5958c5c8a05d16d
—
hash46257982840493eca90e051ff1749e7040895584
—
hash723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
—
hashb365faebaf416681b5f376c8aa4f4470
—
hash591d363928f0d5f4629196d60fd899469267da09
—
hashfff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f
—
hasha292fee8d8db83711e72c06d6f82562d
—
hash82f88c1af036181ee4e92a2f9338c152d1ff0c58
—
hashdf5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415
—
hashbc95f228b11fa3b4e91c30d98f9f3bff
—
hash25ce6c74a6f39289717522cad5eacdf5b9f4bae8
—
hash882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3
—
hashe83d6092439a90af2b4b1db2ad3a9c5a
—
hash4da6fef533b37a12ed1e357df66802de29c1ab5c
—
hash51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
—
hash0bf7bc20496143a9f028e77ab47b4698
—
hashaa54013aeb502b4a936331deb76a6411f1f1ade7
—
hash350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
—
hashafa27795c0c86b6afeb138d0fb09506b
—
hashd32e44f7e04a8c84e7159ed020dcf26b6e51416e
—
hash07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
—
hash59db7bd22d4ec503b768ece646205c27
—
hashff57cda4829978d8b6f7f1f31356f291b37acaa6
—
hashe28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
—
hashc115bbbdb1a61f8c553d74802bfd78fb
—
hash1f439569e3c1c14ea9f02235f8f45c49e2764160
—
hash9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
—
hash7688c1b7a1124c1cd9413f4b535b2f44
—
hash8ccac360e2ca37b2fa9f5fa81b22114fb8936120
—
hash96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
—
hash53fdeb923b1890d29b8f29da77995938
—
hasha996ccd0d58125bf299e89f4c03ff37afdab33fc
—
hashae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e
—
hash3f400f30415941348af21d515a2fc6a3
—
hashbd0bf9c987288ca434221d7d81c54a47e913600a
—
hash5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
—
hash267d5c3137d313ce1a86c2f255a835e6
—
hashc7a37c0edeffd23777cca44f9b49076be1bd43e6
—
hash17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90
—

Ip

ValueDescriptionCopy
ip83.243.40.10
—
ip88.198.198.90
—
ip183.181.86.147
—
ip80.239.207.200
—
ip155.138.246.122
—
ip46.8.10.134
—
ip188.130.137.181
—
ip188.130.218.39
—
ip5.183.130.92
—
ip107.189.30.69
—
ip185.7.214.79
—
ip46.8.16.77
—
ip5.78.115.67
—
ip185.219.221.136
—
ip95.181.173.227
—
ip64.176.219.106
—
ip116.203.186.178
—
ip46.161.27.151
—
ip185.220.101.149
—
ip185.220.100.240
—

Ssdeep

ValueDescriptionCopy
ssdeep196608:puRTOvaeQyt37NKNGZH5c4Eo8qqBNoNdRn+ILwIjKek529:p4TheZaGZZc4Eoko0IcIRkA9
—
ssdeep24576:1p2gwjk6ikYhJ9lvGnYZvy48/V33ck7LnBAyldFu8hod/Qodly:1AgxkmvGnYWccjBAwFadRd
—
ssdeep24576:wjlZDq1Een/s9NUuKF+gEn7gKheviz6GYtVb9BXpV7wldFu8hod/Qodly:wjlreiUuKFS70A059/V7GFadRd
—
ssdeep12288:RcOlvT7Zom3rITxaVDrd5vUa69Ghj91nlQocyW7/P6E4kKjqnes9PBVW/g:RDJJDbcJ90jtH0bP6ELVne2
—
ssdeep24576:llm7yYs6kQ2WxeisU09E3b6E/IwU5jjpBAPy:B6YWxG9E3b6Nz5jjpBGy
—
ssdeep24576:zvA0H/qL9fu4c8JZHSE6biXLemW34Mi+4LKH:UHL9fu4hSLbiXLer4MD4WH
—
ssdeep12288:bO+sm75a7DI9Mv53VI/XfaUs442JbV24chSS1i2wZbDFMMWzVFq:rh75a7M9S3VYa4npY4cFM2MWhY
—
ssdeep24576:pyAo7FAIP03acBtXWKe25ep59MxQU08wHG3MJAQof1hB:Lo7ARBtmKe28MSU08wHaM6Qo1hB
—
ssdeep12288:lMJYSP5VV3VG7rYyPT+p/VYXMJ8oD536bGIqs7GBvw0QygfmHp:lMVj3IXYETQV1XD5VIZ7GOg1J
—
ssdeep12288:trkm8R9qXgmj3d7khtgfpedbKbiTuDZWhswtik5j2w+f:2Ujt7+twpedbKb1dWhse9K
—
ssdeep6144:OUjqtclKpiqKLICZM5cUq29shXs6u7ulx97Z52Gd:fqt4KoVkCm9oV
—
ssdeep12288:M1DTMHixr1moQqUiXINDl/m1s6BQio67VlAU:AzmoQqUiXw2s6yiVxR
—
ssdeep12288:TFx0B/O7JxPzW9JPlHKtxYRkG7zLfpXE6SbJ:Rx7zW9JPlGskG1v
—
ssdeep12288:aEky5bwpy02iRaeXCP2CIcdoKAXMr+Mr+kJZ4:j02iRaeHPcdo18rTrf6
—

File

ValueDescriptionCopy
file723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
—
fileminipath.exe
—
fileUpdateReminder.exe
—
file51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e
—
file350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd
—
file07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799
—
filee28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
—
file9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc
—
filec:windowssystem32mrpy2bfa7.dll; 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
—
fileae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e; ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e.bin
—
file3f400f30415941348af21d515a2fc6a3; 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa
—
file17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90.bin
—
fileAA24-131A.stix_.xml
—

Size in-bytes

ValueDescriptionCopy
size-in-bytes1499648
—
size-in-bytes209170
—
size-in-bytes556576
—
size-in-bytes576512
—

Text

ValueDescriptionCopy
textSTIX 1.1
—

Threat ID: 68367c0a182aa0cae2311df0

Added to database: 5/28/2025, 2:59:22 AM

Last enriched: 6/27/2025, 11:36:19 AM

Last updated: 8/5/2025, 2:52:28 AM

Views: 11

Related Threats

ThreatFox IOCs for 2025-08-12

Medium
MalwareWed Aug 13 2025

ThreatFox IOCs for 2025-08-11

Medium
MalwareTue Aug 12 2025

ThreatFox IOCs for 2025-08-10

Medium
MalwareMon Aug 11 2025

ThreatFox IOCs for 2025-08-09

Medium
MalwareSun Aug 10 2025

ThreatFox IOCs for 2025-08-08

Medium
MalwareSat Aug 09 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats