Black Basta

Also known as: Storm-1811, Cardinal

Overview

Ransomware group believed to include former Conti members. Known for using Microsoft Teams social engineering and Quick Assist for initial access. Targets large enterprises.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

3 of 14 tactics observed

Raw TTPs

Teams Social EngineeringQuick Assist AbuseRansomwareDouble ExtortionQakbot Distribution

Related Intelligence (2)

HIGHRansomwareExploited

Black Basta Ransomware Pivots to Microsoft Teams Social Engineering

Black Basta affiliates using Microsoft Teams messages and Quick Assist for initial access, bypassing email security controls entirely.

Microsoft Teams

Mar 18, 2026Microsoft Threat Intelligence

MEDIUMRansomware

Black Basta Internal Chat Logs Leaked — Reveal Operations and Targets

Leaked internal communications from Black Basta ransomware group reveal operational structure, target selection process, and connections to former Conti members.

N/A

Mar 4, 2026Prodaft / VX-Underground