Security researchers have observed a trend in tactics, techniques and procedures that may link the ransomware gang to Russian-backed threat actors.
Analysts at cyberthreat intelligence firm RedSense have observed a shift in the BlackBasta ransomware gang’s tactics that could suggest links between the criminal extortion operation and Russian state-based threat actors.
BlackBasta is one of several ransomware operations that have emerged following the dramatic dissolution of Conti ransomware amid opposition to Russia’s 2022 invasion of Ukraine.
However, while many spinoff groups continued to use Conti’s advanced social engineering techniques, BlackBasta relied almost entirely on botnets to launch large-scale attacks rather than the more carefully targeted campaigns of other post-Conti groups.
Even when a US-led law enforcement coalition disrupted BlackBasta’s favored botnet, QBot, in August 2023, the gang was able to quickly transition to the DarkGate botnet. Nonetheless, according to RedSense, this still put BlackBasta behind schedule in its planned operations, which is when it began to change tactics.
In October 2023, DarkGate itself began to expand its tactics. While it was still taking advantage of malicious PDF files to distribute malware, its loader began targeting Skype and Microsoft Teams.
“Targeting Microsoft Teams was precisely the tactic BlackBasta would favor a year later, in October 2024,” RedSense analysts said in a November 21 blog post.
“The 2023 TrendMicro study concluded that by moving to trusted communications platforms, DarkGate exploited routine channels, thereby amplifying its potential to circumvent detection and integrate into organizational systems. This is the same conclusion noted by ReliaQuest, which discovered BlackBasta’s latest round of MS Teams targeting in 2024.”
In early 2024, BlackBasta began communicating with other post-Conti groups, employing a “third-party broadcast specialist” known to work in this sector of the cybercriminal community. At the time, many groups, such as Royal and INC Ransom, began impersonating Cisco, Citrix, and Fortinet in order to gain initial access via social engineering.
In May, BlackBasta followed suit, creating an identity for itself as a fictitious cybersecurity company and began attempting to convince its victims that they had suffered a cybersecurity incident.
“Under this pretext, the operator would ask victims to install remote access software like Zoho, AnyDesk or Atera and then proceed to distract the victim,” RedSense said.
The gang still relied on botnets to distribute malware, but by October it had begun targeting Microsoft Teams, following a broader trend of Russian-speaking threat actors, particularly with links to advanced persistent threats based on the state.
Russia’s APT Midnight Blizzard – also known as Cozy Bear, Nobelium and APT29, and linked to the Russian Foreign Intelligence Service according to US and Dutch intelligence agencies – launched a campaign focused on Microsoft Teams in May 2023, in much the same way as BlackBasta. in 2024. This is the same time that BlackBasta began targeting a British defense contractor.
Soon after, methods to take advantage of security vulnerabilities in Teams also began circulating on the Russian-language RAMP hacking forum. Several other malicious actors then began targeting Teams. Eventually, in October 2023, the DarkGate botnet operation also jumped on the teams bandwagon, and in 2024, so did BlackBasta.
“BlackBasta’s evolution in malware delivery shows a distinct shift from a purely botnet-based approach to a hybrid model incorporating social engineering,” RedSense said.
“By 2024, BlackBasta’s diffusion model increasingly reflected advanced social engineering tactics seen even in nation-state APTs.
“This development demonstrates BlackBasta’s deliberate progression from opportunistic attacks toward long-term strategic planning.”
You can read the full RedSense report here.