Security Experts:

Connect with us

Hi, what are you looking for?



New Black Basta Ransomware Possibly Linked to Conti Group

Black Basta ransomware

A new ransomware operation named Black Basta has targeted at least a dozen companies and some researchers believe there may be a connection to the notorious Conti group.

Black Basta ransomware

A new ransomware operation named Black Basta has targeted at least a dozen companies and some researchers believe there may be a connection to the notorious Conti group.

The existence of Black Basta came to light in mid-April, but MalwareHunterTeam researchers spotted a sample apparently compiled in February.

The cybercriminals behind Black Basta use malware to encrypt files on compromised systems, appending the .basta extension to encrypted files. In addition, like many other ransomware groups, they steal large amounts of information from victims in an effort to increase their chances of getting paid.

Cybersecurity firm Minerva has conducted a technical analysis of the Black Basta ransomware and noted that the malware requires administrator privileges to work. The company’s researchers discovered that the malware hijacks the Windows Fax service for persistence on the infected systems.

The Black Basta group has listed roughly a dozen companies on its website, where it names victims that refuse to pay up. The list of victims includes the American Dental Association and German wind turbine giant Deutsche Windtechnik, which recently confirmed the breach, but claimed its wind turbines were never at risk.

The hackers have published more than 100 Gb of data allegedly stolen from Deutsche Windtechnik.

MalwareHunterTeam believes the “Black Basta ransomware gang must have something to do with Conti.” This assumption is based on similarities between their leak sites, their payment sites, and the way their “support” employees talk and behave. Other researchers agree that there are similarities to the Conti operation.

Black Basta and Conti ransomware similarities

In the meantime, the Conti group continues announcing new targets, including government organizations in Peru and Costa Rica.

In fact, Conti ransomware activity has surged in the past weeks, despite the cybercriminals’ operations being exposed by a pro-Ukraine hacktivist.

The hacktivist used a Twitter account named “ContiLeaks” to make available chat logs, credentials, email addresses, C&C server details and even source code from the Conti operations. The leaks came in response to the Conti group expressing its support for the Russian government in its invasion of Ukraine.

While some believed the leaks could hurt Conti operations, Secureworks reported recently that the number of new victims added to Conti’s website in March 2022 exceeded 70, significantly more than the average of 43 victims per month seen in 2021.

Related: Walmart Dissects New ‘Sugar’ Ransomware

Related: Colossus Ransomware Hits Automotive Company in the U.S.

Related: FBI Shares Information on BlackCat Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...