Under Review ACTIVE

BlackBasta

Also known as: GOLD BOMBARD

Affiliation Unknown

Motivation Financial

Status active

Country Unknown

First Seen 2022

Last Seen 2025

Target Sectors Manufacturing, Transportation, Healthcare, Financial Services

Target Geographies North America, Europe, Oceania

Executive Summary

BlackBasta (also tracked as GOLD BOMBARD) is a financially motivated ransomware operation that rose rapidly in 2022 and has remained one of the most operationally dangerous extortion crews since. Public reporting frequently links the group to the broader Conti-era criminal ecosystem, but the safest current framing is a Russian-speaking ransomware operation with strong ecosystem overlap rather than a fully proven successor organization. Black Basta targets large enterprises across manufacturing, healthcare, transportation, and critical infrastructure, relying on data theft plus encryption for leverage.

Notable Campaigns

American Dental Association (ADA) Compromise: Among the group’s early high-profile victims, Black Basta hit the ADA in 2022, disrupting downstream dental practices and leaking internal data after extortion failed.
Capita PLC Disruption: In 2023, Black Basta operators severely disrupted Capita, a major UK outsourcing firm supporting public-sector and critical-service contracts, while stealing sensitive pension and personnel data.
Ascension Healthcare Attack (2024): Security reporting and government advisory timelines place Black Basta around the 2024 Ascension healthcare incident, but public attribution remains reported as assessed or suspected rather than judicially confirmed.

Technical Capabilities

Black Basta leverages an ecosystem of established initial access brokers. Historically, the operation relied heavily on Qakbot-enabled intrusions, then adapted after Qakbot disruption by using alternative loaders, social engineering, and purchased access. Once inside a network, operators move quickly with Cobalt Strike and common administrative tooling such as PsExec and WMI. Public reporting also documents use of PrintNightmare-style privilege escalation and rapid lateral movement consistent with high-tempo ransomware deployment.

Attribution

Black Basta operates as a decentralized, financially motivated cybercrime syndicate. While definitive geographic attribution remains limited, U.S. government and private-sector reporting consistently describe the operators as Russian-speaking and note strong operational overlap with former Conti personnel and infrastructure. That overlap is historically important, but it is still better framed as ecosystem continuity than as a completely settled one-to-one successor claim.

MITRE ATT&CK Profile

Initial Access: Valid accounts (T1078), Qakbot-enabled access chains, vulnerability exploitation, and social engineering all appear in public reporting on Black Basta intrusions.

Execution: PowerShell (T1059.001), PsExec, and other Windows administration tooling are used to move quickly from foothold to domain-wide deployment.

Impact: Data encryption (T1486), shadow copy deletion (T1490), and double-extortion publication on the group’s leak site are central parts of the operating model.

Sources & References

CISA: #StopRansomware - Black Basta — CISA, 2024-05-10
Elliptic: Black Basta Ransomware - Tracing $100 Million in Stolen Funds — Elliptic, 2023-11-20
Trend Micro: Ransomware Spotlight - Black Basta — Trend Micro, 2022-09-26

Known Tools

BlackBasta Ransomware Qakbot Cobalt Strike PrintNightmare