- Recent victims
- Cyberattacks in the press
- Ransomware Groups
- Negotiation Chats
- Ransom Notes
- Statistics
- Victims by country
- Cartography
- About
- Disclamer
- Contact us
| Initial Access (TA0001) | Execution (TA0002) | Persistence (TA0003) | Privilege Escalation (TA0004) |
|---|---|---|---|
|
Phishing: Spear phishing Attachment (T1566.001) Victims receive spear phishing emails with attached malicious zip files - typically password protected. That contains malicious doc including .doc, .pdf, .xls |
System Services: Service Execution (T1569.002) Black Basta has installed and used PsExec to execute payloads on remote hosts. |
Create Account (T1136) Black Basta threat actors created accounts with names such as temp, r, or admin. |
Domain Policy Modification: Group Policy Modification (T1484.001) Black Basta can modify group policy for privilege escalation and defense evasion. |
|
Windows Management Instrumentation (T1047) Utilizes Invoke-TotalExec to push out the ransomware binary. |
Account Manipulation (T1098) Added newly created accounts to the administrators' group to maintain elevated access. |
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads. |
|
|
Command and Scripting Interpreter: PowerShell (T1059.001) Black Basta has encoded PowerShell scripts to download additional scripts. |
Create or Modify System Process: Windows Service (T1543.003) Creates benign-looking services for the ransomware binary. |
Create or Modify System Process: Windows Service (T1543.003) Creates benign-looking services for the ransomware binary. |
|
|
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads. |
This information is provided by Crocodyli