In the beginning, Black Basta affiliates used to break into organizations by using email spear phishing techniques to deploy some sort of trojan or backdoor via malicious attachments or links. Spear phishing remains one of the most common techniques to deploy malware and is used by nearly all cybercriminal gangs.

Another method is to buy access from so-called access brokers or malware distribution platforms. One of these platforms is a long-running botnet called Qakbot, or Qbot, and has been used both by Black Basta and Conti before it.

“Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709,” the FBI and its partners said in the joint advisory. “In some instances, affiliates have been observed abusing valid credentials.”

Black Basta’s goal is to gain admin credentials

Following the initial access, Black Basta affiliates will deploy and rely on a variety of system tools and dual-use programs to achieve privilege escalation and then move laterally through the network to other systems with the goal of compromising a domain controller and gaining administrative credentials.

This will then allow them to push the ransomware to as many computers on the network as possible using the usual management tools and application deployment mechanisms on Windows networks.

Some of the tools that the FBI saw Black Basta affiliates use include the SoftPerfect network scanner (netscan.exe) for network scanning, as well as reconnaissance tools with names that include Intel and Dell and are saved in the root of the C: folder.