{
	"id": "ac4824e0-baec-464b-a274-1254c8897af7",
	"created_at": "2026-04-06T01:29:59.867184Z",
	"updated_at": "2026-04-10T13:12:38.573219Z",
	"deleted_at": null,
	"sha1_hash": "376d1c6ea268ff8c5558635183fe582a9c20b664",
	"title": "Exposed Credentials \u0026 Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 746487,
	"plain_text": "Exposed Credentials \u0026 Ransomware Operations: Using LLMs to\r\nDigest 200K Messages from the Black Basta Chats\r\nBy Keegan Keplinger\u0026nbsp;|\u0026nbsp;Aurora Johnson\r\nPublished: 2025-04-16 · Archived: 2026-04-06 01:06:11 UTC\r\nWe cybercrime analysts tend to get excited when giant collections of ransomware gangs’ chat logs are leaked, like\r\nthe Conti Leaks in 2022 – or, more recently, the year’s worth of leaked Matrix chat logs from the Black Basta\r\nransomware group. It’s the equivalent of front-row access to something that usually happens behind closed doors,\r\nand can shed light on TTPs to help balance the scales for defenders.\r\nOur team dug into the leaked Black Basta chat logs with a particular focus on one of SpyCloud Labs’ favorite\r\ntopics: stolen credentials. Based on our analysis, we learned that:\r\nIn this article, we’ll highlight what this means for understanding the inner workings of these cybercrime\r\noperations and also give insights into the process we used for our research.\r\nWe’re not telling you anything that’s not already well known – ransomware continues to be  a global threat\r\naffecting every industry vertical. In fact, according to our most recent survey report of over 500 professionals in\r\nactive enterprise cybersecurity roles, ransomware was cited as the leading cybersecurity threat across industries.\r\nRansomware itself is a billion dollar industry, costing businesses tens of billions of dollars annually when\r\nfactoring in damage and recovery costs.\r\nThere’s no doubting it, ransomware has become a central component of the cybercrime economy, with businesses\r\nincreasingly feeling the impacts since at least 2021. The volumes of attention heaped on ransomware since that\r\nyear is largely a reflection of the surprising success of the ransomware intrusion model (Figure 1).\r\nThis model (which today doesn’t even require a “ware” to the ransom[1]) represents a peak point in which the\r\nunderground cybercriminal economy had matured into a self-sustaining market. Skill specialization and role\r\ndifferentiation occurred and a variety of opportunities for monetizing cybercrime emerged.\r\nRansomware caused a paradigm shift, becoming a central hub into which the wide variety of specialists could\r\ncontribute to the monetization of network wide intrusions and compromise.\r\nPrior to this model, such large-scale, coordinated network intrusions were only the thing of Hollywood and state-sponsored operations, but ransomware enabled such operations to be monetized, attracting fleets of over-educated,\r\nunder-employed labor (particularly in Balto-Slavic regions). The model was first “publicly” proofed by the Ryuk\r\nransomware, expanded by the Maze “supergroup” and perfected by Ryuk’s evolution into the so-called “Conti”\r\nsupergroup (aka Trickbot, LLC).\r\nBlack Basta’s history\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 1 of 10\n\nIn 2022, increased interest from law enforcement and blue teams globally forced the Conti super group to fracture.\r\nAmongst the growing popularity of the ransomware model in cybercrime, former Conti members were assessed to\r\nbe at work in some the newly formed groups, including Black Basta (Figure 2). Post-Conti splinters (yellow)\r\nrepresent cases where core members of Conti are assumed to play key roles in newer ransomware brands, whereas\r\nConti-associated (green) may have only circumstantial relationships (such as shared affiliates or initial access\r\nbrokers, or ad-hoc exchanges of services or access between groups). For example, DEV-0365 was a team within\r\nConti that appeared to prepare and rent Cobalt Strike infrastructure to other ransomware groups.\r\nAs researchers quickly discovered, leaked ransomware chats can be a double-edged sword. They are\r\nsimultaneously a goldmine for new insights and an overwhelming firehose of unstructured data. Due to the multi-faceted nature of ransomware operations, a lot of explicit coordination is required. This results in plump chat logs,\r\nfilled with exact technical specifications, logins, and explicit strategy discussions.\r\nHowever, reading 180,000 chat logs to extract such details is an insurmountable task for even an average-sized\r\nteam of analysts. Generative AI – and Large Language Models (LLMs), specifically – offer a unique opportunity\r\nto quickly process and extract data, filtering out the keks, smiley faces, and cybercriminal drama to uncover intel\r\nof interest.\r\nPrompt engineering\r\nThe basic principle for entity and knowledge extraction is to define for the LLM 1) what information you’re\r\ninterested in, 2) what format you want it in, and 3) what rules it should follow. The third criteria, giving the LLM\r\nsome ground rules, is particularly helpful in countering semantic bias (when the model interprets ambiguous\r\ninputs incorrectly).\r\nWe parsed the chats into fixed timespans, and then used the LLM to dynamically filter out irrelevant data, keeping\r\nonly valuable insights. In this case, we divided the chat logs into 24 hour chunks and passed them to the LLM\r\nalong with variations on the following system prompt:\r\nThis format was used to run over the Black Basta chats several times, leveraging different fields and focusing on\r\ndifferent subjects and instruction sets to help guide the model.\r\nThis resulted in over 180,000 messages reduced down to daily summaries for particular types of information,\r\nincluding: operational details, personal information, and political intrigue. In some cases – for example, that of\r\npolitical intrigue – the 180k messages were reduced down to only a handful of messages. Mentions of\r\nrelationships with government agencies were not an everyday occurrence in the Black Basta chats, so the resulting\r\nextracted messages were sparse.\r\nOf particular interest to SpyCloud’s mission of disrupting the credential supply chain leveraged by cybercriminals\r\nis the use of infostealers and exposed credentials to facilitate ransomware operations.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 2 of 10\n\nCredential exposure starts with a compromise, whether it be from stealer malware, phishing campaigns, or\r\nbreaches. At this point, only the attackers and the victims can know about the compromise (Closed Loop in Figure\r\n3). The circle of access expands when this data is sold or traded in the marketplace, or shared in agreements\r\nbetween threat actors. In some cases, the data can be extracted from records of attacker infrastructure. At this\r\npoint, however, the data isn’t widely available (Semi-Open Loop in Figure 3).\r\nEventually, most stolen data is made publicly available (Open Loop in Figure 3) through various public or semi-public channels on the dark web, chat apps, and social media. Actors can choose to “open the loop” for various\r\nreasons, including political incidents, depreciation of value, or to establish street-cred.\r\nOnce it has been posted publicly, the data is often further split, cross-referenced, and recombined into combolists\r\nand password cracking dictionaries that facilitate phishing and brute force attacks. As highlighted below, brute\r\nforce attacks would eventually take center stage within the Black Basta operation, but that first required\r\ndesperation…\r\nIn the cybersecurity community, 2022 was known for a tidal wave of botnet infections, driven largely by\r\nrepurposed banking trojans (such as Emotet and Qakbot) that had evolved into generalized loaders. By the end of\r\n2023, the lights of the then-popular botnets like Darkgate and Pikabot – along with the last traces of Qakbot –\r\nwere barely flickering (Figure 4).\r\nExploitation, phishing, and brute forcing were always part of the Black Basta operation, but brute forcing began to\r\ntake center stage in early 2024, after the group returned from Syvatki (the period between Orthodox Christmas and\r\nthe Epiphany, a common holiday in Russia) missing some key members of the botnet team (Figure 5). Finally,\r\nduring that summer, when all that remained was the core leadership of Black Basta, the group purchased 1,000\r\nservers and focused solely on brute forcing.\r\nThis change in personnel, infrastructure, and methodology was likely in part facilitated by the group’s leader’s\r\nrecent encounters with intelligence agencies, both foreign and domestic.\r\nThroughout the Black Basta operation, combolists, phishing, and stealer logs were leveraged in various ways, but\r\na dominant theme in the implementation of exposed (Open Loop) credentials was brute forcing internet-facing\r\nservers (Figure 6). At the surface, it might appear surprising that such a simple technique would be so reliably\r\nleveraged by a sophisticated ransomware group, but attack surface management is more complicated than it is\r\noften given credit for.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 3 of 10\n\nEdge devices represent publicly accessible regions of an organization’s attack surface. This surface can be\r\nexacerbated by misconfigurations in device enrollment, loose security policies, circumvention of security controls,\r\nand vulnerability exploitation to remove other security layers, finally leveraging the exposed credentials. As\r\norganizations grow, inventory, maintenance, and protection of this attack surface can become weak.\r\nIn parallel to this ballooning technological threat surface, the attack surface represented by credential exposure is\r\nalso growing (Figure 3 above). Naturally, exposed credentials from this cybercrime data supply chain serve as\r\nfuel for brute force engines. And the Black Basta team leaned heavily on this throughout their operation.\r\nThe value of stealer logs in constructing combolists\r\nURL:log:pass (ULP) combolists, large lists of credentials consisting of URLs, email/username logins, and\r\npasswords that are usually derived from stealer logs, can allow threat actors to construct combolists for brute\r\nforcing particular technologies.\r\nOn June 12, gg shared several combolists that appear targeted towards different edge devices of interest to Black\r\nBasta, including VPN, firewall, and other network security product vendors (Figure 7).  You can find particular\r\ndevices and their associated URL formats in internet scanning services like Shodan and Censys. For example,\r\nlogins for URLs ending in login.html and admin.html might be good candidates for finding login credentials from\r\nULPs (Figure 8).\r\nIn July 2024, after which it appears that most of the Black Basta team departed (Figure 5, Summer), the\r\nremaining leadership was conducting the purchase of 1,000 servers for brute forcing on lapa’s suggestion. The\r\nservers were eventually paid for by gg (Figure 6, single red square) in preparation for a massive brute force\r\ncampaign targeting edge devices.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 4 of 10\n\nBlack Basta’s phishing campaigns\r\nPhishing campaigns did not appear to take up a large proportion of Black Basta’s active campaigns at any given\r\ntime, but they did appear to often be used in parallel with brute force campaigns on the same technologies.\r\nInfostealers and stealer logs\r\nAs demonstrated in our preliminary report, the Black Basta team developed an integration for infostealers in the\r\nBlack Basta panel. Further reading revealed that the team also manages and deploys stealers throughout their\r\nransomware operations to facilitate tasks like privilege escalation, persistence, and lateral movement. There were\r\nalso other development efforts towards stealers, such as integrating with hidden virtual network computing\r\n(hVNC) and reducing the detectability of LummaC2.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 5 of 10\n\nIn mentions of infostealer malware (Figure 11), Lumma consisted mostly of .exe and .zip filenames following\r\nburito’s suggestion that they wrap the stealer with a crypter. Stealer logs were also directly shared in the leaked\r\nMatrix chats from a handful of stealers with an emphasis on Meduza stealer. Valid credentials have been\r\nrepeatedly targeted by ransomware groups for initial access, and blue teams often find correlations between\r\naccounts found in stealer logs and those leveraged in ransomware incidents.\r\nHere, we see an explicit relationship, including specific tooling in the Black Basta panel to support the integration\r\nbetween stealers and active ransomware operations.\r\nIn the case of the Black Basta Matrix chat logs, there is plenty of evidence to affirm the overused – but true –\r\nstatement that “cybercriminals are constantly evolving.” We see their operations as reflective of larger trends in\r\nthe criminal underground, including:\r\nRole differentiation\r\nSimilar to the concept of an assembly line, when threat actors begin to focus and specialize while working with\r\nother specialists, each component of an operation gains in quality and efficiency, creating a complex criminal\r\necosystem where you can basically find anything you’re looking for.\r\nBlack Basta was a comparatively smaller team than Conti, but had clear roles delineated – such as manager,\r\ndevelopers, botnet operators, intrusion specialists, infrastructure management, and EDR R\u0026D.\r\nAdaptiveness\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 6 of 10\n\nThe threat landscape is constantly evolving. There’s no rulebook for cybercrime, and cybercriminals are inherently\r\ncreative problem solvers. For them, obstacles are fun new problems to solve.\r\nBlock weak and exposed passwords at the source\r\nMore and more, cybercriminal operations are adapting the same business model legitimate corporations use.\r\nWhat does the future hold for Black Basta?\r\nThe cybercriminal lifestyle is filled with paranoia and anxiety – a sentiment often explicitly expressed by threat\r\nactors in leaked chats – which is why pressure from law enforcement and defenders can help reduce cybercriminal\r\npresence. It is expected that some portion of Black Basta members will retire while others will simply rebrand or\r\ncontribute their skills to another operation.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 7 of 10\n\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 8 of 10\n\nSince there is no rulebook for cybercrime, there’s no rulebook for defending, but the closest thing we have is “best\r\npractices.” To protect against the use of valid breached, leaked, and stolen credentials to attack your organization,\r\nwe recommend the following:\r\n01\r\nReduce risk of infostealer infections\r\nIndividuals and organizations should take steps to avoid infostealer infections to minimize the potential for\r\nfollow-on cyberattacks.\r\n02\r\nUse password managers\r\nOrganizations should offer employees access to a master password tool, and individuals should use a master\r\npassword keeper instead of storing passwords in the browser. Stealers often steal passwords, credit card\r\ninformation, and other personal data stored in your browser. If you don’t save your passwords using your\r\nbrowser’s built-in password manager, then it’s less likely an infostealer infection will be able to get your\r\npasswords.\r\n03\r\nDon’t reuse passwords\r\nSpyCloud research shows 70% of users reuse old passwords that have been exposed on the dark web. Users can\r\nuse a password manager to generate a new, unique password for each account and keep them organized.\r\nOrganizations can look to NIST guidelines to create and enforce good and manageable password hygiene through\r\nproper password policies.\r\nYou can check if any of your passwords are exposed on the dark web with SpyCloud’s free Password Checker.\r\n04\r\nUse multi-factor authentication (MFA).\r\nMFA renders a stolen password useless without a registered authenticating device or a sophisticated bypass.\r\n05\r\nMonitor for exposed credentials and identity data\r\nThere are both consumer-facing and enterprise services to monitor credentials that have been leaked on the\r\ndarknet due to breaches, malware, or phishing. Users and organizations can get started by using our free Check\r\nYour Exposure tool to check your corporate email address to understand if your identity data is circulating in the\r\ncriminal underground.\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 9 of 10\n\nSign up to get the latest cybercrime research, insights, and best practices in your inbox\r\n[1]\r\n Ransomware actors are increasingly removing as much malware from their attack flows as possible, sometimes\r\neven the ransomware itself, and relying only on the exfiltrated data for extortion. This works well for targets who\r\nare sensitive to data exposure and helps reduce the risk of harming, for example, patients in hospitals (which can\r\nlead to indictments, litigated ransom payments, and\r\nSource: https://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nhttps://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/"
	],
	"report_names": [
		"digesting-messages-from-the-black-basta-chats"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438999,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/376d1c6ea268ff8c5558635183fe582a9c20b664.pdf",
		"text": "https://archive.orkl.eu/376d1c6ea268ff8c5558635183fe582a9c20b664.txt",
		"img": "https://archive.orkl.eu/376d1c6ea268ff8c5558635183fe582a9c20b664.jpg"
	}
}