Black Basta’s Notorious Tactics and Techniques Exposed in Leaked Intel

A significant leak of internal chat logs from the Black Basta ransomware group has provided cybersecurity researchers with unprecedented insight into their operations, capabilities, and motivations.

The leak, released on February 11, 2024, by a Telegram user named ExploitWhispers, contained approximately 200,000 chat messages dated between September 2023 and June 20241.

This event rivals the 2022 leaks that affected the Conti ransomware gang, offering a rare glimpse into one of the most impactful ransomware groups of recent years.

Ransomware Group’s Operations Unveiled

Threat hunters at Intel 471 have updated their threat intelligence with newly uncovered Tactics, Techniques, and Procedures (TTPs) based on the leaked information.

These include reconnaissance via discovery tools, defense evasion through abuse of Windows components, credential access using Mimikatz, and command and control access via the AnyDesk application.

The group also employs PowerShell for file downloads and execution, utilizes Rclone for data exfiltration, and achieves persistence through scheduled task creation.

Advanced TTPs and Critical Infrastructure Targeting

Black Basta, a Russian-speaking group operating under the Ransomware-as-a-Service (RaaS) model, has targeted numerous countries worldwide, including the United States, Japan, Australia, and the United Kingdom.

A joint report from CISA and the FBI released on May 10, 2024, detailed the group’s major activities between April 2022 and May 2024, revealing that they had targeted over 500 entities across North America, Europe, and Australia, affecting 12 out of 16 critical infrastructure sectors.

The ransomware group’s modus operandi involves encrypting files on victims’ computers or networks and employing a double extortion tactic, threatening to publish exfiltrated data if the ransom is not paid.

Their initial access techniques typically include phishing emails with malicious attachments or links, compromised websites, and exploitation of known vulnerabilities.

Recently, a Black Basta affiliate has been observed sending overwhelming amounts of spam emails to victims, followed by phone calls posing as IT staff to trick users into downloading remote support tools.

Once access is gained, Black Basta operators conduct network scans and reconnaissance using tools like SoftPerfect (netscan.exe).

They employ BITSAdmin and PsExec for lateral movement and utilize Splashtop, Screen Connect, and Cobalt Strike beacons to assist in their operations.

The group has been known to use Rclone and WinSCP for file exfiltration before encrypting data across local and network drives.

The exposure of Black Basta’s internal communications and operational details provides valuable intelligence for cybersecurity professionals and law enforcement agencies.

This information can be crucial in developing more effective defense strategies and mitigation techniques against this persistent and evolving ransomware threat.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free