Ransomware Leak Sites


Active Since

April 2022

Total Victims as of January 2024


Known Forum Aliases


Active Forum Accounts


Top Targeted Geographies

US, Germany, UK

BlackBasta is a ransomware operation that is notable for its high volume of attacks, use of custom tools, and suspected links to cybercriminal group FIN7.

The group is thought to be calculated and selective in its targeting of large organizations, likely contributing to its accrual of over $100 million in ransom payments since its inception in 2022.

There is some evidence that the operators and affiliates of BlackBasta may be former members of previous ransomware operations, specifically Conti, including similarities in leak site and victim recovery portals. The group takes a muted approach to dark web communications, with only one instance of a suspected BlackBasta persona posting on cybercrime forums offering payment for access to corporate networks in its first month of activity.

In May 2024 the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Cybersecurity Advisory (CSA) BlackBasta, warning that the group has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors in the US alone. This advisory coincided with reports of a novel social engineering campaign linked to BlackBasta operators, in which threat actors combine spam emails and calls to trick targeted users at an organization into providing remote access to their computer. 

The Beacon Newsletter

Get news, insights & intelligence straight to your inbox