The activity level of ransomware groups with "black" in their name has varied greatly over the early months of the new year. Despite the significant increase in attacks caused by the BlackLock ransomware group, the long-established Black Basta ransomware group appears to be about to break up, although it is still posing a persistent cybersecurity threat even so. 

Even though BlackLock was first identified as a ransomware-as-a-service operation in March 2024, the cyber-criminals have been actively targeting multiple platforms in the past few months, including Windows, VMware ESXi, and Linux systems, according to a report by cybersecurity firm ReliaQuest. According to a report by ReliaQuest, BlackLock, also known as El Dorado or Eldorado, utilizes a double-extortion strategy, which involves exfiltration of sensitive data from a victim before the encryption of their computer systems. 

With this approach, threat actors can demand a ransom in addition to the decryption of compromised files to obtain a promise that they will not reveal the stolen data once they have decrypted it. As reported by ReliaQuest, BlackLock has also reported a substantial increase in its activities over the last three months, with its data leak site registering fourteen times as many victims as it did in the previous three months of 2024. In light of this sharp increase, it is evident that BlackLock is becoming a greater threat to organizations, as it continues to expand its operations and refine its extortion tactics, which are becoming increasingly sophisticated. 

To enhance an enterprise's cybersecurity posture, it is crucial to have a thorough understanding of the Black Basta attack methodologies. The Black Basta ransomware group attacks targeted organizations by exploiting known vulnerabilities, system misconfigurations, and inadequate security controls. It has been determined that the group systematically focused on exposed Remote Desktop Protocol servers, weak authentication mechanisms, malware droppers disguised as legitimate files, and exposed RDP servers through analyzing its internal communications. 

In April 2022, blackBasta, a ransomware-as-a-service (RaaS) operation based in Russian, was first discovered. It is safe to say that Black Basta expanded quickly after the dismantling of the Conti ransomware group, taking advantage of the void left behind and including former Conti affiliates in its ranks in an effort to exploit the void left behind. Through this strategic expansion, the group was able to orchestrate attacks against hundreds of organizations throughout the world, establishing itself as an elite cybercriminal organization. 

According to cyber-intelligence firm Prodaft, the group's campaigns have declined steadily over the past couple of months, with its last known operations occurring in December, according to the firm. Since this group was previously one of the most dominant players in the ransomware landscape, it has been the subject of considerable attention within the cybersecurity community during this abrupt downturn in activity. There are numerous sophisticated attack vectors employed by Black Basta to compromise systems, which include the following. 

Among its primary tactics has been scanning for exposed RDP and VPN services around the world. This group frequently takes advantage of the default credentials available for VPN connections, or they use brute-force attacks to establish initial access by exploiting previously compromised credentials. Black Basta is also actively exploiting known Common Vulnerabilities and Exposures (CVEs) in unpatched systems, taking advantage of organizations that are not updated with security patches, or are behind in updating their security systems. 

To make malware deployment much easier, ransomware operators often use MSI (Microsoft Installer) and VBS (Visual Basic Script) malware droppers that deliver malicious payloads discreetly to make malware deployments easier. The majority of these payloads are executed by misusing system utilities such as Rundll32.exe, which can be used to execute harmful DLL files as a result. Additionally, this group focuses on credential harvesting and privilege escalation, which allows them to gain a deeper understanding of a compromised network and to increase their impact.

Black Bastion’s tactics have been evolving over the years and are becoming more persistent. This is why organizations should adopt a proactive cybersecurity strategy, ensuring regular patching, robust authentication protocols, and continuous network monitoring to minimize the risks posed by this malware. There is no denying that the sophistication of malware used by threat actors greatly influences the effectiveness of ransomware operations. 

As a result of developing and maintaining proprietary crypters, prominent ransomware groups like Play, Qilin, and BlackLock have distinguished themselves from the competition. It has been widely believed that leading cybercriminal organizations have used customized crypters to enhance the stealth and operational efficiency of their malware, making security systems more difficult to detect and mitigate. 

A strategic advantage for these organizations is the ability to market their malware as faster and more evasive than the competitors, which will help them attract high-level affiliates. However, other ransomware groups, such as Bl00dy, Dragonforce, and RA World, rely on leaked ransomware builders that were originally developed by Babuk or LockBit. In his opinion, Jim Wilson, a ReliaQuest security analyst, believes such groups are either lacking the technical expertise required to develop proprietary malware or they are not able to afford to pay skilled developers to develop proprietary malware. From a cybersecurity perspective, the reliance on publicly available tools creates opportunities for defenders, as it enables them to analyze code and develop targeted countermeasures based on that analysis. 

Recently, BlackLock has become increasingly popular within cybercriminal forums. Wilson has noted that the group actively recruits affiliates, initial access brokers, and experienced developers through the Ramp forum. The alias "$$$" is used to identify this group as active within the Ramp cybercrime forums. The BlackLock group also frequently recruits "traffers" which are cybercriminals who send victims to malicious websites before passing them off to more experienced operatives for execution. According to incident response firms, ransomware groups typically gain their first access to enterprise networks through phishing campaigns as well as by utilizing remote access tools. 

Cybercriminals often use known software vulnerabilities to attack systems by infiltrating them. Sophisticated ransomware groups are constantly trying to improve their attack strategies through utilizing innovative methods. There was a post made by "$$$" on Ramp on January 28, 2025, in which he asked hackers who had experience exploiting Microsoft's Entra Connect Sync, a software that allows Active Directory to be synchronized with Entra (formerly Azure Active Directory), to be exploited. 

Research published by SpecterOps in December 2024 was referenced as the basis for this request. As part of the research, attackers were able to inject their own Windows Hello for Business (WHFB) key into a victim's account to exploit Entra's synchronization mechanisms. Additionally, cybersecurity expert Garrity noted that Black Basta has demonstrated a proactive approach to vulnerability exploitation. 

The group reportedly discusses new vulnerabilities within days of security advisories being released and, while hesitant, considers purchasing exploits from emerging threat actors. Furthermore, there is evidence suggesting that Black Basta possesses the necessary resources to develop new exploits. Garrity’s analysis of Black Basta’s chat logs indicates a strategic yet opportunistic approach that prioritizes well-known vulnerabilities and high-value targets. 

While the group primarily leverages established exploit frameworks and widely available tools, discussions within their network suggest a potential for new exploit development and tactical evolution. For cybersecurity defenders, the key takeaway is the importance of prioritizing vulnerability remediation through an evidence-based security strategy. Cybersecurity firm Rapid7 has reported that Black Basta has continuously refined its social engineering techniques, incorporating enhanced malware payloads, improved delivery mechanisms, and advanced evasion tactics. 

The group has been observed leveraging Microsoft Teams to impersonate IT personnel, often masquerading as help desk or customer support representatives. Upon engaging a victim, attackers attempt to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect, deploy malicious QR codes, or establish a reverse shell using OpenSSH. Once access is secured, malware such as Zbot or DarkGate is used to escalate privileges, harvest credentials, and bypass multifactor authentication, ultimately leading to data exfiltration and ransomware deployment. 

A December 2024 attack investigated by ReliaQuest involved a Microsoft lookalike domain sending a flood of phishing emails to employees, followed by direct calls through Teams. Within minutes of gaining access via Quick Assist, the attacker established communication with a command-and-control server and began lateral movement within 48 minutes, successfully exfiltrating data from a manufacturing firm. Despite these ongoing attacks, intelligence from deep and dark web sources suggests that Black Basta’s leadership has exhibited signs of fatigue since mid-2024. 

According to RedSense analyst Bohuslavskiy, key members, including a critical administrator, have reportedly lost interest in ransomware operations, possibly due to prolonged involvement since 2019 or 2020. While the group appears to be scaling down, its infrastructure remains operational, with continued victim negotiations and ransomware deployments. However, declining operational standards have led to increased failures in decryption, rendering attacks even more destructive due to the group's growing negligence.

As well, Cybersecurity expert Garrity noted that Black Basta has been proactive when it comes to exploiting vulnerabilities. It has been reported that the group discusses new vulnerabilities as soon as security advisories are released, and while it is reluctant to buy exploits from emerging threat actors, the group is still considering doing so. Several pieces of evidence suggest that Black Basta possesses the necessary resources to develop new exploits based on evidence. 

According to Garrity's analysis of Black Basta's chat logs, the group takes a strategic yet opportunistic approach, prioritizing well-known vulnerabilities and high-value targets. Although the group primarily relies on established exploit frameworks and readily available tools, discussions within the group suggest that new exploits could be developed and tactically evolved in the future. 

Among the key takeaways for cybersecurity defenders is the importance of prioritizing vulnerability remediation as part of an evidence-based security strategy. According to Rapid7, Black Basta has continuously reworked its social engineering techniques, including enhancing malware payloads, improving delivery mechanisms, and incorporating evasion tactics to make it more effective than before. Observations have indicated that the group uses Microsoft Teams to impersonate IT employees, often masquerading as help desk or customer support representatives. 

As soon as the attacker engages a victim, he or she attempts to install remote management tools such as AnyDesk, TeamViewer, or ScreenConnect to deploy malicious QR codes, or to establish a reverse shell via OpenSSH in the event of an attack. Malware, such as Zbot, DarkGate, and other malicious programs, is then employed to escalate privileges, harvest credentials, and bypass multifactor authentication, resulting in data exfiltration and ransomware deployment. This attack is believed to have been perpetrated by a Microsoft-like domain that sent phishing emails to employees in December 2024, followed by direct calls through Teams. 

After gaining access via Quick Assist in less than five minutes, the attacker established a connection with a command and control server, started moving laterally within 48 minutes, and successfully extracted information from a manufacturing company within 48 minutes. However, information from deep and dark web sources suggests that the leadership of Black Basta has shown signs of fatigue since mid-2024 despite these ongoing attacks. 

It has been reported that RedSense analyst Bohuslavskiy believes key members, including a critical administrator, have lost interest in ransomware operations, possibly due to their prolonged involvement in the ransomware campaign from 2019 or 2020. Although the group appears to be reducing its operations, it has been continuing to negotiate with victims and deploy ransomware, despite its apparent scaling down. It is important to note that while operational standards are decreasing, more and more failures in decryption have arisen during the last few years, which has rendered attacks even more destructive due to the growing negligence of the group.