Internal chat logs containing over 200,000 messages between the Black Basta ransomware as a service (RaaS) group recently surfaced on the end-to-end encrypted Telegram messaging service. The logs span just a year from September 2023 and were originally leaked on February 11th via the MEGA.nz file transfer service as a 50 Mb JSON file by the user ExploitWhispers. This was then taken down, without any reason given, only for them to reemerge on Telegram.
In a reversal of the February 2022 leak of chat logs of the Conti ransomware gang, when a member leaked the Conti’s logs because they were disgruntled by the group’s pledge to support Russia after their invasion of Ukraine, the internal feud inside of Black Basta was sparked by the group targeting Russian banks.
Some of the chatlogs reveal topics that may be familiar to many: complaining about the failings of co-workers, complaining about the level of compensation, and moaning about their managers. Underneath this daily banter, however, they provide an insight into the tradecraft, motivations, and mentality of a criminal enterprise focused on cyber extortion.
Key takeaways from the leaks
Like many ransomware gangs, they target vulnerabilities as an initial access vector. They had a specific interest in Virtual Private Networks and Remote Desktop Protocols.
Impressed by the success of the Scatter Spider gang’s use of social engineering, Black Basta emulated the rival gang, including vishing of the target pretending to be from the organisation’s IT department.
Rather than “spray-and-pray” ransomware gangs that indiscriminately attempt attacks against random targets or industry sectors, Black Basta maintained a database of target organisations they would pursue. Black Basta also discussed using online vulnerability mapping services like Shodan and FOFA to passively identify vulnerable targets.
There appears to be a focus on continual improvement of both Black Basta’s technology and processes. With many discussions on lessons learned from previous attacks and how to make improvements.
- Black Basta members acknowledge that their technical capability was below that of competing ransomware gangs.
- Two gang members, “Tramp,” and “Bio,” appear to be former members of the Conti ransomware gang.
A common three-stage attack workflow they use is:
- Deliver a .HTA file as a masqueraded malicious download link, via social engineering, or a masqueraded inside an e-mail
- The .HTA file drops a .BAT or .EXE executable, which contacts Black Basta’s Command & Control (C2) server.
- The C2 server uses a .JS file that delivers a further payload, which may deliver a Remote Access Trojan or ransomware.
Like many other ransomware gangs, Black Basta focuses on maintaining persistence even after the recovery and evasion of end-point security controls. They have utilised VBS scripts and DLL side-loading via rundll32.exe to stealthy execute payloads and use SearchProtocolHost.exe to masquerade malicious activity under legitimate system processes.
How you could have used Cohesity in attacks like Black Basta
Black Basta may now be defunct, but their members will just splinter and form new similar gangs, so organisations need to be resilient. Cohesity customers could have used Cohesity DataHawk to hunt for the early stages of a ransomware attack that isn’t susceptible to Black Basta’s evasion techniques. By utilising a complementary threat intelligence feed of over 117,000 Indicators of Compromise, or leveraging commercial feeds the customer already owns, like those from CrowdStrike, customers can passively hunt for adversaries like Black Basta across their infrastructure from a single console.
- Cohesity DataHawk threat classification would have allowed customers to identify what sensitive and regulated data had been exfiltrated or encrypted, helping them achieve their regulatory obligations.
Cohesity DataProtect’s anomaly detection would have alerted the security operations team when Black Basta’s encryption of systems started. These alerts can be forwarded to a SIEM or SOAR for automation.
- The unmatched speed of Cohesity DataProtect allows time-series snapshots of systems to be rapidly loaded. This would have allowed incident responders to conduct speedy filesystem forensics and store evidence with a strong chain of custody.
The Cohesity Clean Room solution would have allowed an organisation impacted by Black Basta to rapidly make available all the resources needed and restore response and recovery capability to a trusted state.
- The Cohesity Clean Room solution also would have provided isolated investigation and remediation environments. This allowing organisations to be confident that they will not be recovering vulnerabilities, gaps in controls, and other attack artefacts back into production systems where they can cause further downtime.
Cohesity CyberScan would have allowed victim organisations to identify the vulnerabilities present at the time of initial access by Black Basta.
Learn more
These leaked internal chats give us a window into the ransomware as a service group’s methods and motivations. Cyberattacks will happen. Resilience, your ability to get your business back up and running, is key. To mitigate cyber threats from ransomware, keep these recommendations from CISA in mind:
- Install updates for operating systems, software, and firmware as soon as they’re released.
- Require phishing-resistant MFA for as many services as possible.
- Train users to recognize and report phishing attempts.
Those interested in a deeper analysis of the Black Basta chat logs can query them using Hudson Rock’s excellent BlackBastaGPT.
See also:
