Security Intelligence
Loading table of contents...
Chat logs alleged to contain messages exchanged between members of the Black Basta Ransomware-as-a-Service (RaaS) group have resurfaced on Telegram, offering researchers a rare glimpse into the group’s operations. The logs were previously released on the MEGA file-sharing platform but were since removed for unknown reasons. They now seem to have found a home on Telegram.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
It’s still unclear who posted the chat logs and why, however several researchers believe that the leaks could have been the work of a disgruntled member who was upset about Russian banks being targeted by the group. Other researchers have noted that the leaks are very similar to the leaks that ultimately led to the collapse of Conti, a now-defunct ransomware group.
Source: Bleeping Computer
Analysis
The Black Basta RaaS operation surfaced in early 2022. It quickly became a major player, suspected of having links to Conti. Black Basta typically targets large enterprises, encrypts systems rapidly, and leaks stolen data to pressure victims into paying. It has been linked to high-profile breaches across multiple sectors, making it a key example of how RaaS models enable rapid growth and sustained attacks.
Regardless of who and why the leaked chats were posted, they provide valuable insight into Black Basta’s evolving tactics, techniques, and procedures (TTPs), and shed light on its operational workflow and attack methodologies. Making matters worse for Black Basta, in additional to its chat logs being posted on Telegram, several cybersecurity researchers have uploaded them into AI chatbots that allow other researchers to easily query the logs with questions using standard language. Field Effect leveraged one of these chatbots and discovered the following notable points:
- Black Basta leverages malicious scripts for execution, including VBS scripts and DLL side-loading via rundll32.exe. These techniques allow for stealthy payload execution while bypassing traditional security measures. Additionally, the logs indicate frequent use of Windows system utilities like SearchProtocolHost.exe, which suggests an attempt to masquerade malicious activity under legitimate system processes. This aligns with Black Basta’s broader objective of maintaining persistence while evading detection by endpoint security tools.
- Black Basta relies heavily on Remote Desktop Protocol (RDP) and VPN compromises to facilitate initial access and lateral movement. Conversations referencing RDP migrations indicate that Black Basta operators frequently switch between compromised RDP instances.
- Black Basta often uses social engineering tactics, including IT department impersonation. In one exchange, a member asks how they can make a phone call appear to be from an IT department, hinting at a possible tactic for phishing employees into revealing credentials or executing malicious actions.
- The group discussed using Shodan and Fofa to scan for vulnerable Jenkins servers, highlighting the group’s increasing focus on target reconnaissance. By actively searching for exploitable infrastructure, Black Basta can fine-tune its attacks, prioritizing high-value targets with easily exploitable vulnerabilities.
Overall, the leaked communications confirm what’s mostly known about Black Basta, that it is a highly adaptable ransomware group that refines its methods continuously and is capable of combining stealthy execution techniques, credential-based intrusions, social engineering, and automated reconnaissance to facilitate its campaigns. The chatlogs also reinforce the need for organizations to implement robust access controls, network segmentation, and employee security awareness training to mitigate the risk posed by groups like Black Basta.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for ransomware-related threats. Field Effect MDR users are automatically notified if ransomware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While defending against ransomware attacks may seem intimidating, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Backup your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack and, thus, can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems. This is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites. Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Cybersecurity solutions like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
