In 2025, cybercriminals formerly tied to the now-defunct Black Basta Ransomware group have resurfaced with a new wave of highly targeted attacks. By exploiting Microsoft Teams for social engineering and deploying Python-based scripts for delivering malicious payloads, these actors are blending legitimate tools with covert tactics to infiltrate corporate environments. This marks a troubling shift in ransomware operations where traditional defenses are bypassed through everyday business platforms.
In this article, we uncover the methods behind these attacks, the tools being weaponized, and the steps organizations should take to protect themselves against this fast-moving threat landscape.
How the Attacks Work: Familiar Tactics, Upgraded Techniques
Cybercriminals with ties to the disbanded Black Basta group are re-emerging with evolved strategies that combine classic social engineering with modern delivery mechanisms. Here's a breakdown of their updated playbook:
Email Flooding Followed by Teams Phishing
Attackers begin with mass email spamming to overwhelm inboxes and lower user vigilance. Once attention is diverted, they pivot to phishing through Microsoft Teams, impersonating IT staff to request access or initiate remote support, luring employees into giving up control.
Payload Delivery via Python and cURL
Upon gaining a foothold, attackers deploy Python scripts that leverage tools like cURL to silently fetch and execute additional payloads. This method enables backdoor access without triggering many traditional endpoint protections.
Use of Legitimate Looking Domains
Roughly half of the phishing messages are sent from “onmicrosoft.com” subdomains, while others come from compromised legitimate business domains. This tactic helps the attackers blend in with normal enterprise traffic, making detection significantly harder.
Remote Access Exploits
Victims are urged to open Quick Assist or AnyDesk sessions under the guise of IT troubleshooting. These sessions allow the threat actors to run malicious scripts, deploy remote access tools (RATs), and establish persistent tunnels back to their infrastructure.
Techniques Spreading Across Ransomware Ecosystem
The approach isn’t limited to former Black Basta operators. Similar methods have been adopted by other ransomware-as-a-service (RaaS) groups like BlackSuit, CACTUS, and BlackLock (previously Eldorado) suggesting a wider evolution across the threat landscape, and possible collaboration or recruitment of former Black Basta talent.
Emerging Threats Across the Ransomware Landscape
These findings come alongside a series of alarming developments across the global ransomware ecosystem:
Scattered Spider, a financially motivated threat group, has intensified its focus on managed service providers (MSPs) and IT vendors using a "one-to-many" strategy compromising a single provider to infiltrate multiple downstream clients. In several instances, attackers have exploited stolen credentials from Tata Consultancy Services (TCS) to gain initial access.
The group has also been seen crafting fake login pages using the Evilginx phishing kit to bypass multi-factor authentication (MFA). Scattered Spider has reportedly formed alliances with major ransomware outfits such as ALPHV (BlackCat), RansomHub, and most recently, DragonForce, using SimpleHelp remote desktop software vulnerabilities to launch sophisticated, targeted campaigns against MSPs.
The Qilin ransomware group (also known as Agenda or Phantom Mantis) has conducted a coordinated campaign between May and June 2025, targeting multiple organizations by exploiting known Fortinet FortiGate vulnerabilities (including CVE-2024-21762 and CVE-2024-55591) to gain initial access.
Meanwhile, the Play ransomware gang (aka Balloonfly or PlayCrypt) is believed to have breached over 900 entities as of May 2025. Their operations have increasingly leveraged SimpleHelp flaws (CVE-2024-57727), particularly targeting U.S.-based organizations following public disclosure of the vulnerability.
In an unusual move, the administrator of the VanHelsing ransomware group has publicly leaked the entire ransomware source code on the RAMP cybercrime forum, citing internal disputes among developers. The leak includes the TOR private keys, the full source code, admin panel, chat system, file server, and the group's blog database, according to cybersecurity firm PRODAFT.
Lastly, the Interlock ransomware group has been linked to a previously undocumented JavaScript-based remote access trojan called NodeSnake, used in attacks against UK-based local government and higher education institutions in early 2025. Distributed via phishing emails, NodeSnake enables persistent access, system reconnaissance, and remote command execution.
Closing Reflections
The latest attacks attributed to former Black Basta members highlight a concerning shift in the cyber threat landscape. Instead of relying solely on traditional ransomware delivery methods, these attackers are blending into everyday business workflows using tools like Microsoft Teams to socially engineer their way in, and Python scripts to silently execute their objectives.
This evolution demonstrates a growing trend: cybercriminals are prioritizing stealth, trust exploitation, and platform abuse to bypass even well-established defenses. It’s no longer just about brute-force attacks or obvious malware; it’s about subtlety, manipulation, and persistence.
For organizations, this calls for a mindset shift:
Security awareness must expand beyond email to include collaboration apps, remote access tools, and internal communication channels.
Technical controls like application whitelisting, script execution policies, and behavioral monitoring are critical.
Authentication alone isn’t enough - it must be supported by behavioral context and user training.
The threat actors may be familiar, but their playbooks are not. As attackers adapt, so too must defenders. Staying ahead means being proactive, informed, and ready for threats where you least expect them.
Defend smart and Stay secure!!