The future of the formerly fearsome cybercriminal group remains uncertain as key members have moved to a new affiliation, in fresh attacks that use novel persistence malware BackConnect.
March 5, 2025 By Elizabeth Montalbano
After an attack hiatus and signs of infighting within the ranks of the Black Basta ransomware group, some of its key members appear to have shifted to new malware in a fresh attack wave, under the guise of another threat group called Cactus.
Since the start of the year, Trend Micro researchers observed separate Black Basta and Cactus ransomware attacks that shared similar tactics, techniques, and procedures (TTPs) and also leveraged a new malware called BackConnect for achieving persistence in victim environments, according to a blog post published on March 3.
These similarities signal a "shift in affiliations among certain threat actors associated with Black Basta," with evidence suggesting that key members have transitioned to the Cactus ransomware group.