We cybercrime analysts tend to get excited when giant collections of ransomware gangs’ chat logs are leaked, like the Conti Leaks in 2022 – or, more recently, the year’s worth of leaked Matrix chat logs from the Black Basta ransomware group. It’s the equivalent of front-row access to something that usually happens behind closed doors, and can shed light on TTPs to help balance the scales for defenders.
Our team dug into the leaked Black Basta chat logs with a particular focus on one of SpyCloud Labs’ favorite topics: stolen credentials. Based on our analysis, we learned that:
- Black Basta leveraged stolen credentials from multiple sources for initial access, persistence, and lateral movement in ransomware incidents
- After the Qakbot malware botnet was disrupted by law enforcement in 2023, Black Basta reoriented to focus on other initial intrusion including phishing and bruteforcing edge devices using combolists
- Black Basta also used infostealer malware in their operations – even discussing integrating new ‘infostealer’ functionality into their panel
In this article, we’ll highlight what this means for understanding the inner workings of these cybercrime operations and also give insights into the process we used for our research.
The Ransomware Business Model
We’re not telling you anything that’s not already well known – ransomware continues to be a global threat affecting every industry vertical. In fact, according to our most recent survey report of over 500 professionals in active enterprise cybersecurity roles, ransomware was cited as the leading cybersecurity threat across every industry. Ransomware itself is a billion dollar industry, costing businesses tens of billions of dollars annually when factoring in damage and recovery costs.
There’s no doubting it, ransomware has become a central component of the cybercrime economy, with businesses increasingly feeling the impacts since at least 2021. The volumes of attention heaped on ransomware since that year is largely a reflection of the surprising success of the ransomware intrusion model (Figure 1).
This model (which today doesn’t even require a “ware” to the ransom[1]) represents a peak point in which the underground cybercriminal economy had matured into a self-sustaining market. Skill specialization and role differentiation occurred and a variety of opportunities for monetizing cybercrime emerged.
Ransomware caused a paradigm shift, becoming a central hub into which the wide variety of specialists could contribute to the monetization of network wide intrusions and compromise.
Prior to this model, such large-scale, coordinated network intrusions were only the thing of Hollywood and state-sponsored operations, but ransomware enabled such operations to be monetized, attracting fleets of over-educated, under-employed labor (particularly in Balto-Slavic regions). The model was first “publicly” proofed by the Ryuk ransomware, expanded by the Maze “supergroup” and perfected by Ryuk’s evolution into the so-called “Conti” supergroup (aka Trickbot, LLC).
Black Basta’s history
Black Basta, like a handful of other newer ransomware groups, has its roots in the Conti group, where an individual going by the alias tramp participated briefly in core group functions. Tramp (identified in the BlackBasta leaks as gg) would go on to form the foundation of Black Basta, as highlighted in a recent report from France.
In 2022, increased interest from law enforcement and blue teams globally forced the Conti super group to fracture. Amongst the growing popularity of the ransomware model in cybercrime, former Conti members were assessed to be at work in some the newly formed groups, including Black Basta (Figure 2). Post-Conti splinters (yellow) represent cases where core members of Conti are assumed to play key roles in newer ransomware brands, whereas Conti-associated (green) may have only circumstantial relationships (such as shared affiliates or initial access brokers, or ad-hoc exchanges of services or access between groups). For example, DEV-0365 was a team within Conti that appeared to prepare and rent Cobalt Strike infrastructure to other ransomware groups.
Methodology: Digesting 180,000 Chat Messages Using an LLM
As researchers quickly discovered, leaked ransomware chats can be a double-edged sword. They are simultaneously a goldmine for new insights and an overwhelming firehose of unstructured data. Due to the multi-faceted nature of ransomware operations, a lot of explicit coordination is required. This results in plump chat logs, filled with exact technical specifications, logins, and explicit strategy discussions.
However, reading 180,000 chat logs to extract such details is an insurmountable task for even an average-sized team of analysts. Generative AI – and Large Language Models (LLMs), specifically – offer a unique opportunity to quickly process and extract data, filtering out the keks, smiley faces, and cybercriminal drama to uncover intel of interest.
Prompt engineering
The basic principle for entity and knowledge extraction is to define for the LLM 1) what information you’re interested in, 2) what format you want it in, and 3) what rules it should follow. The third criteria, giving the LLM some ground rules, is particularly helpful in countering semantic bias (when the model interprets ambiguous inputs incorrectly).
We parsed the chats into fixed timespans, and then used the LLM to dynamically filter out irrelevant data, keeping only valuable insights. In this case, we divided the chat logs into 24 hour chunks and passed them to the LLM along with variations on the following system prompt:
- subject is a string describing at a high level what you want to extract,
- fields is a list of detailed field name, like “operation_objective” and “operation_result” that the LLM will extract values for, and
- instructions allows you to tune the model when it’s having problems or to further expand on your provided subject.
This format was used to run over the Black Basta chats several times, leveraging different fields and focusing on different subjects and instruction sets to help guide the model.
This resulted in over 180,000 messages reduced down to daily summaries for particular types of information, including: operational details, personal information, and political intrigue. In some cases – for example, that of political intrigue – the 180k messages were reduced down to only a handful of messages. Mentions of relationships with government agencies were not an everyday occurrence in the Black Basta chats, so the resulting extracted messages were sparse.
Background: The Data Supply Chain (for Cybercriminals)
Of particular interest to SpyCloud’s mission of disrupting the credential supply chain leveraged by cybercriminals is the use of infostealers and exposed credentials to facilitate ransomware operations.
Credential exposure starts with a compromise, whether it be from stealer malware, phishing campaigns, or breaches. At this point, only the attackers and the victims can know about the compromise (Closed Loop in Figure 3). The circle of access expands when this data is sold or traded in the marketplace, or shared in agreements between threat actors. In some cases, the data can be extracted from records of attacker infrastructure. At this point, however, the data isn’t widely available (Semi-Open Loop in Figure 3).
Eventually, most stolen data is made publicly available (Open Loop in Figure 3) through various public or semi-public channels on the dark web, chat apps, and social media. Actors can choose to “open the loop” for various reasons, including political incidents, depreciation of value, or to establish street-cred.
Once it has been posted publicly, the data is often further split, cross-referenced, and recombined into combolists and password cracking dictionaries that facilitate phishing and brute force attacks. As highlighted below, brute force attacks would eventually take center stage within the Black Basta operation, but that first required desperation…
Black Basta: Death of the Botnets
In the cybersecurity community, 2022 was known for a tidal wave of botnet infections, driven largely by repurposed banking trojans (such as Emotet and Qakbot) that had evolved into generalized loaders. By the end of 2023, the lights of the then-popular botnets like Darkgate and Pikabot – along with the last traces of Qakbot – were barely flickering (Figure 4).
Exploitation, phishing, and brute forcing were always part of the Black Basta operation, but brute forcing began to take center stage in early 2024, after the group returned from Syvatki (the period between Orthodox Christmas and the Epiphany, a common holiday in Russia) missing some key members of the botnet team (Figure 5). Finally, during that summer, when all that remained was the core leadership of Black Basta, the group purchased 1,000 servers and focused solely on brute forcing.
This change in personnel, infrastructure, and methodology was likely in part facilitated by the group’s leader’s recent encounters with intelligence agencies, both foreign and domestic.
Black Basta: Exposed Credentials and Brute Forcing Campaigns
Throughout the Black Basta operation, combolists, phishing, and stealer logs were leveraged in various ways, but a dominant theme in the implementation of exposed (Open Loop) credentials was brute forcing internet-facing servers (Figure 6). At the surface, it might appear surprising that such a simple technique would be so reliably leveraged by a sophisticated ransomware group, but attack surface management is more complicated than it is often given credit for.
Edge devices represent publicly accessible regions of an organization’s attack surface. This surface can be exacerbated by misconfigurations in device enrollment, loose security policies, circumvention of security controls, and vulnerability exploitation to remove other security layers, finally leveraging the exposed credentials. As organizations grow, inventory, maintenance, and protection of this attack surface can become weak.
In parallel to this ballooning technological threat surface, the attack surface represented by credential exposure is also growing (Figure 3 above). Naturally, exposed credentials from this cybercrime data supply chain serve as fuel for brute force engines. And the Black Basta team leaned heavily on this throughout their operation.
The value of stealer logs in constructing combolists
URL:log:pass (ULP) combolists, large lists of credentials consisting of URLs, email/username logins, and passwords that are usually derived from stealer logs, can allow threat actors to construct combolists for brute forcing particular technologies.
On June 12, gg shared several combolists that appear targeted towards different edge devices of interest to Black Basta, including VPN, firewall, and other network security product vendors (Figure 7). You can find particular devices and their associated URL formats in internet scanning services like Shodan and Censys. For example, logins for URLs ending in login.html and admin.html might be good candidates for finding login credentials from ULPs (Figure 8).
Black Basta’s phishing campaigns
The Black Basta team was also observed leveraging email and combolists to seed phishing campaigns. Phishing targets included Microsoft Teams, Fortinet VPN, Citrix, and Office 365.
Phishing campaigns did not appear to take up a large proportion of Black Basta’s active campaigns at any given time, but they did appear to often be used in parallel with brute force campaigns on the same technologies.
Infostealers and stealer logs
As demonstrated in our preliminary report, the Black Basta team developed an integration for infostealers in the Black Basta panel. Further reading revealed that the team also manages and deploys stealers throughout their ransomware operations to facilitate tasks like privilege escalation, persistence, and lateral movement. There were also other development efforts towards stealers, such as integrating with hidden virtual network computing (hVNC) and reducing the detectability of LummaC2.
In mentions of infostealer malware (Figure 11), Lumma consisted mostly of .exe and .zip filenames following burito’s suggestion that they wrap the stealer with a crypter. Stealer logs were also directly shared in the leaked Matrix chats from a handful of stealers with an emphasis on Meduza stealer. Valid credentials have been repeatedly targeted by ransomware groups for initial access, and blue teams often find correlations between accounts found in stealer logs and those leveraged in ransomware incidents.
Here, we see an explicit relationship, including specific tooling in the Black Basta panel to support the integration between stealers and active ransomware operations.
Key Learnings from the Leaked Black Basta Chat Logs
In the case of the Black Basta Matrix chat logs, there is plenty of evidence to affirm the overused – but true – statement that “cybercriminals are constantly evolving.” We see their operations as reflective of larger trends in the criminal underground, including:
Role differentiation
Similar to the concept of an assembly line, when threat actors begin to focus and specialize while working with other specialists, each component of an operation gains in quality and efficiency, creating a complex criminal ecosystem where you can basically find anything you’re looking for.
Black Basta was a comparatively smaller team than Conti, but had clear roles delineated – such as manager, developers, botnet operators, intrusion specialists, infrastructure management, and EDR R&D.
Adaptiveness
The threat landscape is constantly evolving. There’s no rulebook for cybercrime, and cybercriminals are inherently creative problem solvers. For them, obstacles are fun new problems to solve.
- For example, when the BlackBasta team lost most of its staff, the group pivoted to a lower effort (but still relatively high value) approach: brute forcing. The team purchased 1,000 brute forcing servers to delegate the workload to, demonstrating the ability to scale and automate, as is intrinsic to any technology industry.
A corporate model of operations
More and more, cybercriminal operations are adapting the same business model legitimate corporations use.
- Conti, for example, had a Human Resources department for recruitment and vacation coordination.
- Due to the high yield on ransomware operations, most ransomware operations also heavily invest in R&D
- Particularly with regards to developing zero-days and EDR bypass, but as in any tech industry, there are numerous other small problems that can be automated pertaining to infrastructure integration, payload delivery, automated reconnaissance and network discovery on initial infection, and so forth. Small improvements that, collectively, scale the effectiveness of the ransomware operation up.
- Ransomware operators use marketing language and call their victims “clients”
- Ransomware operators don’t have a set price, but charge their “clients” based on revenue à la “Call us for quote!”
What does the future hold for Black Basta?
The cybercriminal lifestyle is filled with paranoia and anxiety – a sentiment often explicitly expressed by threat actors in leaked chats – which is why pressure from law enforcement and defenders can help reduce cybercriminal presence. It is expected that some portion of Black Basta members will retire while others will simply rebrand or contribute their skills to another operation.
Recommendations for Preventing Credential-Based Attacks
Since there is no rulebook for cybercrime, there’s no rulebook for defending, but the closest thing we have is “best practices.” To protect against the use of valid breached, leaked, and stolen credentials to attack your organization, we recommend the following:
Reduce risk of infostealer infections
- Specifically, organizations should enhance existing playbooks to include a comprehensive post-infection remediation approach to make sure that – beyond wiping the device clean of the initial stealer – the accounts and credentials tied to the device are remediated and active session cookies closed to ensure any stolen data can not be used for further invasive access to networks and systems.
- Vet online sources to verify legitimacy
- Don’t download free or cracked software
- Verify source when receiving email attachments
Use password managers
Organizations should offer employees access to a master password tool, and individuals should use a master password keeper instead of storing passwords in the browser. Stealers often steal passwords, credit card information, and other personal data stored in your browser. If you don’t save your passwords using your browser’s built-in password manager, then it’s less likely an infostealer infection will be able to get your passwords.
Don’t reuse passwords
SpyCloud research shows 70% of users reuse old passwords that have been exposed on the dark web. Users can use a password manager to generate a new, unique password for each account and keep them organized. Organizations can look to NIST guidelines to create and enforce good and manageable password hygiene through proper password policies.
You can check if any of your passwords are exposed on the dark web with SpyCloud’s free Password Checker.
Use multi-factor authentication (MFA).
- Ensure MFA is configured correctly following vendor guidelines. Improperly configured enrollment is easy for threat actors to bypass.
Monitor for exposed credentials and identity data
There are both consumer-facing and enterprise services to monitor credentials that have been leaked on the darknet due to breaches, malware, or phishing. Users and organizations can get started by using our free Check Your Exposure tool to check your corporate email address to understand if your identity data is circulating in the criminal underground.
Stay in the Loop
[1] Ransomware actors are increasingly removing as much malware from their attack flows as possible, sometimes even the ransomware itself, and relying only on the exfiltrated data for extortion. This works well for targets who are sensitive to data exposure and helps reduce the risk of harming, for example, patients in hospitals (which can lead to indictments, litigated ransom payments, and
Keep reading
