Black Basta Ransomware IoC Investigation and Expansion | WhoisXML API

Threat Reports

Black Basta Ransomware DNS Investigation Led to OneNote and Courier Impersonation

Black Basta has become alarming as a ransomware group that uses double extortion and can turn off endpoint detection and response (EDR) solutions.

Security teams and companies are putting much weight into detecting Black Basta ransomware, including ExtraHop1 which released a detailed demonstration on how to detect the ransomware. For our part, WhoisXML API researchers investigated IoCs2,3 related to the threat, where we collected WHOIS- and DNS-related contextual information. Among our key findings are:

  • Nearly 1,000 domains sharing the IoC domains’ name servers and WHOIS data
  • More than a dozen domains hosted on the IoCs’ IP hosts
  • Several connected domains were malicious, including those imitating OneNote and courier services
  • 14% of courier-related domains shared a malicious artifact’s name servers, also flagged as malicious 

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.extrahop.com/company/blog/2023/detecting-black-basta-ransomware-with-extrahop-ndr/ 
  • [2] https://documents.trendmicro.com/assets/txt/IOCs_BlackBasta_Spotlight-1gMstIg.txt 
  • [3] https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
Try our WhoisXML API for free
Get started