LevelBlue MDR Guide Against Black Basta Attacks

This document is a technical report detailing the LevelBlue Managed Detection and Response (MDR) team's observations and recommendations regarding attacks attributed to the Black Basta ransomware group. It outlines a series of intrusion attempts and successful breaches observed between December 2024 and February 2025, emphasizing the tactics, techniques, and procedures used by threat actors. The report provides a comprehensive analysis of how attackers gain initial access through social engineering tactics, including email bombardment and impersonation via Microsoft Teams. It describes the use of Microsoft Quick Assist to establish remote access and outlines the subsequent steps taken by attackers to maintain persistence on compromised systems. Additionally, the report offers specific recommendations for organizations to enhance their security posture, such as restricting Microsoft Teams communications, removing unnecessary applications, and educating users on recognizing potential threats. Indicators of compromise are also documented to assist in identifying similar attacks.