What defenders are learning from Black Basta’s leaked chat logs – CyberScoop
Black Basta’s internal chat logs, which were leaked earlier this month, are providing defenders with actionable intelligence on the ransomware group’s operations, cybercrime experts told CyberScoop.
Researchers sifting through Black Basta’s exposed communications found details about the group’s preferred tools and techniques, including custom malware loaders, indicators of compromise, cryptocurrency wallets and email addresses associated with the syndicate’s affiliates.
Multiple cybercrime experts likened the significance of the leak to a major exposure of the Conti ransomware group’s internal messages in 2022. Black Basta, which emerged around the same time that year, is an offshoot of Conti.
“We see smaller groups leaked all the time, but for the amount of intelligence that we’re going to gather, nothing other than Conti compares to this,” Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.
Threat intelligence researchers have loaded the leaked Black Basta messages into generative AI platforms to quickly analyze the data and make it available for hunting activities. Thomas Roccia, a senior security researcher at Microsoft working independently through the data, found nearly 200,000 Russian-language messages spanning a one-year period ending in September 2024.
Roccia extracted potential indicators of compromise, including IP addresses, domains, credentials and file names mentioned in Black Basta affiliate chats. Other researchers compiled information about how the group gained initial access to victim environments and evaded detection.
“Defenders can examine the threat actor’s tactics, techniques and procedures in relation to their threat models,” Halit Alptekin, chief intelligence officer at Prodaft, said in an email. “This also gives them an opportunity to gain insights into cybercriminal activities from the attacker’s perspective.”
While the most actionable intelligence is likely contained in indicators of compromise found in the chat logs, much of that infrastructure will quickly become obsolete as Black Basta affiliates shut systems down, Alptekin said.
“From a threat intelligence and law enforcement perspective, these types of leaks are incredibly valuable. They provide insights into the services the group uses, their tactics, techniques and procedures, internal relationships between threat actors, operational workflows, and communication methods,” Alptekin said. “This kind of intelligence is crucial for disrupting cybercriminal networks and understanding their evolving strategies.”
Black Basta’s inner workings reveal a cybercrime group rife with internal conflicts. Yet, the notorious ransomware-as-a-service group’s affiliates have wreaked havoc on organizations globally.
Over a two-year period, the ransomware variant was used to encrypt and steal data from at least 12 of the 16 critical infrastructure sectors, impacting more than 500 organizations, according to the Cybersecurity and Infrastructure Security Agency.
The group pulled in at least $107 million in ransom payments by late 2023, research from Elliptic and Corvus Insurance found.
The Black Basta leak followed a decrease in activities earlier this year, which was caused by key members defecting to other cybercriminal operations, like the Cactus ransomware group, according to Alptekin. “This exposure has further destabilized the group and impacted trust among its members,” he said.
Rapid7 observed a resurgence of social engineering attacks linked to Black Basta operators in early October, but the group has been largely inactive this year.
The intelligence gathered from other ransomware groups’ previously leaked chats, including those associated with Conti’s operations, have exposed information about infrastructure, commands and illicit services used in their operations, according to Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group.
“Defenders can then use this information to prioritize their detection and hunting efforts,” Stark said in an email. The messages can also support researchers’ attribution efforts by revealing transaction artifacts, the organization’s hierarchy, relationships between cybercriminals and the roles they serve, she added.
The Conti chat leak “revealed who developed specific malware families, the location of certain threat actors, and information suggesting that the subset of the activity was not financially motivated and could instead reflect a possible association with Russian intelligence apparatus,” Stark said.
Additionally, Black Basta’s internal communications reflect cybercriminals’ tendency to overshare and boast among co-conspirators.
“If there’s one thing about the ransomware groups, they’re a chatty bunch,” Liska said. “For being super master criminals, they’re not good at keeping their mouths shut.”
The post What defenders are learning from Black Basta’s leaked chat logs appeared first on CyberScoop.
–
Read More – CyberScoop
