Black Basta Ransomware – Threat Intelligence

Based on our profiling analysis, while the site operators appear to be Ukrainian the platform is open to any affiliate for a fee or as the industry states “Ransomware as a Service”, RaaS. The negotiation/chat site requires a unique key that is left with the ransom notes on the victims machines. They encrypt both LINUX and Windows systems.

In all matters CYPFER handled, where payment was completed the threat actors delivered on their promises providing a decryptor and any other deliverables which were agreed to.

This is where we have to CAUTION any company impacted by this variant as follows:

1. Decryption is only at BEST around 75-80% effective. This is a very low effectiveness rate.
2. The encryption technology is SLOW and does not handle large files especially HIGH VALUE files like virtual disk such as VMDK or VHD files
3. Under NO CIRCUMSTANCES should you shut-down your systems unless the encryption did not start or you are -certain- that viable backups exist. If you do, you are likely going to corrupt the files which will render your virtual machines in an inconsistent state and likely unrecoverable. The Threat actors so called “after payment support” will not be useful.
4. Always backup your encrypted files before running the decryptor, this will at least enable you to re-try if the decryptor fails.

Black Basta appears to encrypt files in segments rather than encrypting the whole file, this is likely done to speed up encryption, but also appears to corrupt files more frequently than other variants.

Black Basta in over 95% of cases have always exfiltrated/stolen data from the victim machines. In all matters that we have handled the amount of stolen information was significantly more than 200GB of data. On some matters, that data can be used to restore some operational capability if payment is made.

Where payment is not made, in all matters where data was stolen, Black Basta published the victim company name and data.

SUMMARY:
DECRYPTION: Black Basta decryptor is 78% (on average) effective in decrypting files. Speed of decryption is dependent upon a number of factors including hardware capabilities and size of encrypted files. Decryptors are offered for a variety of operating systems including Windows and Linux. Speed of decryptor is MEDIUM and it is incredible INEFFECTIVE on large files.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of Black Basta matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 5-15 business days. In certain cases, file header information might be rebuilt. However, Black Basta matters are typically more complex as the reliability of the decryptor is considered very low.

COST: Black basta typically demand anywhere from $53 Million USD for large organizations to $100,000 for much smaller victim organizations. Average demand is $800,000 USD.

NEW DEVELOPMENT: Black Basta may provide a free decryptor if critical infrastructure, health or school are impacted.

Related Insights

View All Insights Btn-arrowIcon for btn-arrow

Your Complete Cyber Security Partner:
Every Step, Every Threat.

At CYPFER, we don’t just protect your business—we become part of it.

As an extension of your team, our sole focus is on cyber security, ensuring your peace of mind. From incident response and ransomware recovery to digital forensics and cyber risk, we integrate seamlessly with your operations. We’re with you 24×7, ready to tackle threats head-on and prevent future ones.

Choose CYPFER, and experience unmatched dedication and expertise. Trust us to keep your business secure and resilient at every turn.

Team of professionals working collaboratively at a desk, focusing on laptops and business tasks in a modern office setting

Get Cyber Certainty™ Today

We’re here to keep the heartbeat of your business running, safe from the threat of cyber attacks. Wherever and whatever your circumstances.

Contact CYPFER Btn-arrowIcon for btn-arrow