The pecking order of ransomware gangs is always shifting and evolving, with the most aggressive and reckless groups netting big payouts from vulnerable targets—but often ultimately flaming out. Russian-speaking group Black Basta is the latest example of the trend having stalled out in recent months due to takedowns by law enforcement and a damaging leak. But after some quiet weeks, researchers warn that, far from being dead and gone, the actors involved with Black Basta will reemerge in other cybercriminal groups—or potentially already have—to start the cycle once again.
Since appearing in April 2022, Black Basta has generated hundreds of millions of dollars in payments targeting an array of corporate victims in health care, critical infrastructure, and other high-stakes industries. The group uses double extortion to pressure targets into paying a ransom—stealing data and threatening to leak it while also encrypting a target’s systems to hold them hostage. The US Cybersecurity and Infrastructure Security Agency warned last year that Black Basta had gone on a spree targeting more than 500 organizations in North America, Europe, and Australia.
A major international law enforcement takedown in 2023 of the “Qakbot” botnet hindered Black Basta’s operations, though. And, this February, a major leak of the group’s internal data—including chat logs and operational information—rocked the group. Since then, it has gone dormant. Researchers warn, though, that the criminals behind Black Basta are already on the move and are almost certain to stage a resurgence.
“We haven’t seen the leaders of Black Basta regroup, but they’re going to continue to work, they’re going to continue to operate,” says Allan Liska, a threat intelligence analyst focused on ransomware at the security firm Recorded Future. “There’s still too much money in it not to. And ransomware actors are creatures of habit just like anyone.”
The leak revealed details about Black Basta’s malware and technical capabilities, its internal squabbles, and clues about the identity of the actors behind the group, particularly its main administrator. The exposed data was from what might be considered Black Basta’s heyday, September 2023 to September 2024. During this period, the group didn’t shy away from the possibility of causing harm with its breaches. A particularly aggressive attack last year on the St. Louis–based health care network Ascension, for example, reportedly caused disruptions in care, including rerouted ambulances.
Black Basta struggled to maintain its momentum, though, after the 2023 Qakbot takedown, known as Operation Duck Hunt.
“It was a huge blow to them, and they were trying to get back on their feet—use other botnets, work on a custom botnet, but that didn’t really work, and ultimately their infection rate was declining,” says Yelisey Bohuslavskiy, chief research officer of the threat-intelligence firm RedSense. “They had fewer targets and were getting into fewer networks. They were still dangerous, but there was this feeling that there was deterioration going on.”
Even in this decline, there was evidence that Black Basta was trying to mount a resurgence. In addition to exploring new malware, the gang started focusing on compromising targets through social engineering and influence campaigns, particularly spam email operations and tech support scams. But after the leak, Bohuslavskiy says, members began moving to other groups and have already been buoying their new gangs.
Like any industry, the Russian cybercriminal landscape is full of people who have worked together or competed against one another for years. Black Basta was able to establish itself so quickly because many of its members were involved with previous cybercriminal operations, including the longtime cybercriminal gang Conti. Conti is a well-known group because of another internal leak incident in 2022 that exposed its inner workings and ties to the Kremlin. After Conti’s demise, researchers tracked its members as they dispersed and started new hacking groups, including Black Basta.
