Black Basta Ransomware Uses Phishing Flood to Compromise Orgs

Black Basta Ransomware Uses PhishingRapid7 reports an interesting social engineering scheme that easily bypasses content filtering defenses and creatively uses a fake help desk to supposedly “help” users put down the attack.

The Black Basta ransomware group, also covered in a recent CISA warning bulletin, floods a victim’s email inbox with many, many emails. The emails are often otherwise legitimate emails, such as newsletter confirmation emails, which most email content filtering gateways would not block. The ransomware gang then makes contact with the victim, pretends to be the victim’s legitimate IT help desk, and offers help.

That help includes the “help desk’s” need to install legitimate remote management software. The attacker then uses the remote access to install other malware and to compromise other systems. Like most ransomware groups, the end objective often includes encrypted files, operational interruption and exfiltrated data.


Defenses include:

  • Educate your users about these types of tactics.
  • Educate users to report incidents of mass email spam flooding to IT security operations, even if emails appear to be legitimate or are made up of spam versus traditional phishing lures.
  • Ensure all users understand how your IT department would contact them and how remote control assistance would be performed if needed.
  • As Rapid7 recommends, it can’t hurt to blocklist common remote management software services so they cannot be used in unauthorized connections.

Security awareness training includes making all users aware of the many types of social engineering schemes. Black Basta adds one more scenario that users should be aware of.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews