Black Basta Ransomware Leaked Chats Expose Ties to Russian Authorities and Evolving Tactics

In a major cybersecurity revelation, a recent leak of internal chat logs from the notorious Black Basta ransomware group has raised serious concerns about possible connections between the cybercriminal gang and Russian authorities. These leaked logs, which include over 200,000 messages spanning from September 2023 to September 2024, were shared by a Telegram user known as @ExploitWhispers. This leak provides rare insight into the group’s operations, shedding light on their sophisticated tactics, international connections, and the possibility of state involvement in their criminal activities.

Key Revelations from the Black Basta Chat Logs Leak

The leaked messages, analyzed by cybersecurity experts at Trellix, reveal shocking details about the operations of Black Basta, a criminal syndicate behind a growing wave of ransomware attacks. Here are some of the most important findings:

Potential Russian Official Ties: The alleged leader of Black Basta, Oleg Nefedov (aka GG or AA), may have received help from Russian officials after his arrest in Yerevan, Armenia, in June 2024. According to the chat logs, GG claimed he contacted high-ranking officials to secure his escape, passing through a “green corridor” to facilitate his extraction just three days after being arrested.
Operational Base in Russia: The group is believed to have at least two offices in Moscow, indicating a possible physical presence within Russia. This adds weight to the theory that the group may have backing from Russian state entities.
Use of OpenAI and AI Tools: Interestingly, the Black Basta group reportedly utilizes OpenAI’s ChatGPT for a range of tasks. These include composing fraudulent formal letters in English, paraphrasing text, rewriting malware code from C to Python, debugging code, and even collecting data from victims.
Collaborations with Other Ransomware Gangs: Black Basta members appear to collaborate with other ransomware groups, including Rhysida and CACTUS. These overlaps suggest a network of interlinked cybercriminal organizations.
Malware and Tools Used: The group has developed or utilized a variety of malicious tools, including:

– PikaBot: A malware loader created by a Ukrainian developer, mecor (also known as n3auxaxl).

– DarkGate: Rented from Rastafareye.

– Lumma Stealer: Used to steal login credentials.

Breaker: A post-exploitation C2 framework designed for maintaining persistent access to victim systems.

New Ransomware Development: GG and mecor are reportedly working together on a new ransomware variant derived from the infamous Conti ransomware. A prototype written in C further suggests that Black Basta may be preparing a rebranding effort for their ransomware operations.
Brute-Forcing and Credential Stuffing: Black Basta has been using a PHP-based framework called BRUTED, which allows them to automate large-scale credential-stuffing and brute-force attacks on internet-connected devices like firewalls and VPN solutions. This framework has been in use since 2023, allowing the group to target vulnerable systems more effectively.
Monetization and Scaling: The development of BRUTED reflects Black Basta’s ongoing efforts to scale their operations, increasing the speed and scope of their attacks. This enables them to attack more victims and accelerate the monetization of their ransomware operations.

What Undercode Say:

The leaked chats from Black Basta provide a chilling look into the inner workings of one of the most sophisticated ransomware gangs in operation today. While the potential ties between Black Basta and Russian officials are far from conclusive, the evidence in the chat logs suggests that the group has significant support from elements within Russia. Whether this is formal government backing or the group simply operating with a degree of tolerance from Russian authorities remains unclear.

One of the most concerning aspects of this leak is how it highlights the ongoing evolution of ransomware tactics. Black Basta is not just relying on traditional ransomware attacks but is actively expanding its toolkit to include AI-driven strategies, automated credential stuffing, and the development of new, more resilient malware strains. This sophistication suggests that Black Basta is not only a financially motivated criminal group but also one that has invested heavily in advancing its cyber capabilities.

Moreover, the group’s collaboration with other ransomware operations shows the highly organized, multi-layered nature of today’s cybercrime landscape. The interconnections between different gangs help expand their reach and resources, making it harder for authorities to dismantle these networks.

In addition, the use of OpenAI’s ChatGPT by Black Basta underscores a new era of cybercrime. By leveraging cutting-edge technologies such as AI, cybercriminals can automate and optimize tasks that would have once required manual effort, allowing them to execute attacks at a much larger scale.

The focus on brute-forcing and credential stuffing with tools like BRUTED demonstrates a shift in ransomware strategy, as the group aims to gain access to more systems before encrypting them. This approach maximizes their chances of success and expands their pool of victims, enabling faster financial returns.

From a strategic standpoint, Black Basta’s move to develop ransomware based on Conti’s source code could represent an effort to maintain relevance in an ever-evolving cybercrime market. The constant rebranding of their operations, as evidenced by the prototype ransomware in development, suggests that the group is aware of the need to adapt to changing security measures and public awareness.

Fact Checker Results:

Russian Official Assistance: While the leaked logs suggest possible connections, the exact nature of any support from Russian officials remains speculative without further evidence.
AI Tools: Black Basta’s use of ChatGPT and other tools aligns with broader trends in cybercrime but is not entirely groundbreaking.
BRUTED Framework: The development of automated credential-stuffing tools is a concerning but not unprecedented development in the world of ransomware attacks.