{
	"id": "1c6c8625-6f88-485e-a5af-fcd7ed9712d7",
	"created_at": "2026-04-10T03:22:10.851422Z",
	"updated_at": "2026-04-10T03:22:16.685953Z",
	"deleted_at": null,
	"sha1_hash": "9a9850004e3d2b771d2d40881c31475e033a0d58",
	"title": "Initial Takeaways from the Black Basta Chat Leaks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 889248,
	"plain_text": "Initial Takeaways from the Black Basta Chat Leaks\r\nBy Spence Hutchinson\r\nArchived: 2026-04-10 03:08:28 UTC\r\nThe Black Basta ransomware group's internal chat logs, leaked on February 11, 2025, consist of nearly 200,000\r\nRussian-language messages spanning September 18, 2023, to September 28, 2024. These logs, exposed by an\r\nindividual known as \"ExploitWhispers\", provide a detailed look into the group's operations, internal dynamics,\r\nand eventual decline.\r\nThe leak is expansive and includes invaluable insight into the group’s inner workings, collaborators and payments.\r\nIt also contains numerous references to business operations and possible entities linked to group members. This\r\nblog will focus on several initial takeaways from our analysis of the leak.\r\nOrganization Structure of the Black Basta Ransomware Group\r\nBlack Basta is a ransomware group that emerged in early 2022 and quickly established itself as a significant\r\ncybercriminal operation. It’s known for its aggressive double-extortion tactics, where it encrypts victims' data and\r\nthreatens to leak it unless a ransom is paid. The group primarily targets large organizations across critical sectors\r\nlike healthcare, manufacturing, government, and financial services, exploiting vulnerabilities in systems or using\r\nsocial engineering to gain access.\r\nNotable Members\r\n“GG” (aka “Tramp”): Key figure/leader in the group. Often referred as “boss”; he is consulted on major\r\ndecisions throughout many aspects of the operation. Likely previously affiliated/connected with Conti\r\nransomware group.\r\n“YY” (aka “Bio”): Possible administrator with the group, can be seen delegating tasks and performing\r\ngeneral administrative actions. May have had a role in developing the initial ransomware tools and\r\ninfrastructure.\r\n“Lapa”: Likely a technical administrator/coordinator of other members/outside vendors.\r\n“Tinker”: Involved with spam/vishing, data preparation, negotiations, and close associate of “GG”. May\r\nhave also been affiliated with Conti previously. Has connections with other ransomware groups/operators.\r\n“Nickolas”: Close collaborator with “GG” on the “talks.icu” chat. Appears to take part in attacks, may run\r\na separate team. Often provides insights into cybersecurity trends, tooling which “GG” re-iterates back to\r\nhis crew.\r\n“n3auxaxl”: Remote developer, possibly reported to “YY” or “NN”. In spring of 2024, “GG”\r\ncircumvented the chain of command and instructed “n3auxaxl” to develop an entirely new ransomware for\r\n$100,000 up front.\r\n“Ugway”: Technical operators involved with multiple aspects of the operation from deploying attacks,\r\nacquiring credentials, malware etc.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 1 of 17\n\nNote, this is not an exhaustive list of actors involved with the operation. A broader in-depth study is needed to\r\nfully understand the inner workings of the group and affiliates. It’s worth noting that there are chats throughout the\r\nleak suggesting some of the core members of the group may work physically in the same office.\r\nTarget Selection and Sensitivities\r\nBlack Basta prioritized high-value targets, particularly in sectors like finance, manufacturing, and energy. They\r\nleveraged open-source intelligence (OSINT) tools such as ZoomInfo, LinkedIn, and RocketReach to profile\r\norganizations, assess their revenue, and identify key employees for social engineering attacks. The leaks revealed\r\n380 unique ZoomInfo links, suggesting at least that many companies were targeted during the leak period.\r\nThe chat logs also reveal the group is sensitive to certain targets based several factors, including:\r\n1. Countries where legality of ransom payments are a barrier to payment.\r\n2. Industries such as healthcare which might bring political and law enforcement pressure on the group.\r\n3. Russia and “Friendly Countries”.\r\nIn March 2024, user Ugway shared a ZoomInfo link for a pharmacy based in France (presumably where he had a\r\nfoothold). GG, a leader in the group replies with “We don’t take those into work…. France doesn’t pay”.\r\nPresumably this is in reference to specific laws or barriers to getting payments in a prompt manner, thus they\r\nappear to avoid those targets (Black Basta had listed several victims based in France prior to this).\r\nIn May 2024, group members panicked following widespread media attention of the attack on Ascension.\r\nMembers were quick to portray the attack as a mistake and frame their subsequent actions (decrypting systems,\r\netc.) as the morally right thing to do.\r\nDoes this mean Black Basta avoids any target in the healthcare industry? Likely not.\r\nIn one negotiation with a healthcare provider, they explicitly stated the goal was not service disruption, but data\r\nextortion:\r\n“We are aware of the current disruptions, from diverted ambulances to cancelled surgery appointments. This\r\nwasn't our goal. Our goal was data, which you did not protect and which you will need to pay for.”\r\nAdditionally, in the lead up to the Ascension attack in November 2023, GG was presented with access to an\r\nassociated Catholic healthcare facility and asked, “Doesn’t it bother you that it’s a church?” to which he replied\r\n“No”.\r\nCandid chats between certain members also made it clear leaders and senior members such as GG and Tinker are\r\naware of political fallout from high profile attacks that could bring affect their ability to earn.\r\nA long message from Tinker on May 9th following the Ascension attack highlights this sensitivity, effectively\r\nsuggesting the attack could bring retaliatory attacks from American authorities which could knock out their\r\nsystems. He also warned that they could be sanctioned and thus be unable to receive ransom payments.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 2 of 17\n\nThen there is the concern with local authorities. A March 2024 conversation between Tinker and GG spells out\r\nthis concern and the group’s fears of Russian authorities such as the Federal Security Service (FSB).\r\nTinker: A friend from the second team, who knows I work for you, told me that an agency is looking for you. The\r\nAnd you know yourself – as soon as political shit starts moving, they come to Conti, it was like that before the\r\nThe warning alludes to the ongoing political environment in Russian surrounding the death of Alexei Navalny in\r\ncaptivity the month prior. The reference to GG’s knowledge of Conti is also notable. The second team in question\r\nis BlackSuit/Royal:\r\nTinker: The second team is BlackSuit, Royal. The guy is one of their pentesters. I know him as ‘Alpha,’ seems l\r\nThe conversation continues, with Tinker revealing the FSB was probing ransomware actors involved in a domestic\r\nransomware attack:\r\nGG: …we don’t target friendly countries at all. We might probe China sometimes but not set it up.\r\nTinker: He didn’t elaborate much – said ‘we f*** up a friendly country with a locker’ – verbatim.\r\nGG: We don’t touch anyone from friendly countries\r\nTinker: The agency is the FSB. I know we don’t touch them, if we actually did – I wouldn’t be talking to you abo\r\nThese candid conversations demonstrate the awareness core members have with respect to the political\r\nenvironment. It also demonstrates the nexus between the Russian ransomware space and the Russian intelligence\r\nservices keeping tabs on the Russian ransomware groups.\r\nMature operators perhaps recognize the key to survival in the ransomware space is a balancing act: on one end\r\nmaintaining a fearsome reputation with victims and on the other avoiding scrutiny from domestic \u0026 foreign\r\nauthorities. Nobody it seems wants to be the head of the snake. It’s this political awareness that likely led GG to\r\nseek a rebranding/rebuild following the attack against Ascension.\r\nAscension Incident, Backroom Deals and Planned Rebranding\r\nIn early May 2024, Ascension suffered a major attack that resulted in disruptions to healthcare services across\r\ntheir network. Media reports, quoting sources briefed on the investigation, tied the attack to the Black Basta\r\ngroup. The leaked chats showed panic among members surrounding the attack, with members worried about\r\nrepercussions and attention from authorities following reports by CNN and Bleeping Computer.\r\nThe incident can possibly be traced to November 2023, when user SS identified an exposed remote access point at\r\nan affiliated hospital (based on the naming convention this appears to be a development endpoint left exposed\r\nwith default credentials). Despite knowing the target was a hospital with religious affiliations, GG pressed forward\r\nand enumerated several hundred domain trusts linked to the target.\r\nBased on messages shared, it appears a Kerberoasting attack was used to acquire credential hashes which were\r\nthen shared back to the group in text files.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 3 of 17\n\nFollowing media publications in May 2024, GG (likely the group’s leader) revealed how the team reacted to the\r\nattack, including a meeting in “the office” with other group members.\r\nGG:\r\nWe set it up before the weekend, accidentally hit healthcare.\r\nThere’s going to be a hell of an analysis now\r\nI gave them the decryptor yesterday for free and want them to recover faster\r\nI don’t want people to suffer\r\nWe’re pentesters, not murderers\r\nIf kids or cancer patients suffer, how am I supposed to live with that!?\r\nNo money is worth this\r\nThat’s why I just held a meeting in the office\r\nThey further go on to explain the operational security implications, further showing how concerned the group was\r\nwith repercussions following such a high-profile attack.\r\nGG:\r\nSaid that we’re changing everything…\r\nSIM cards\r\nVPS\r\nVPNs\r\nAll the servers for work\r\nYY is walking around sad\r\nThese revelations were discussed seemingly in private between GG and another individual, @n3auxaxl on the\r\ncollectionofmanager[.]space Matrix chat. GG went on to propose creating an entirely new operation behind the\r\nback of other members, using @n3auxaxl to develop the code:\r\nGG: I have a proposal for you…here’s a priority task…Write software…From scratch.\r\n@n3auxaxl: What kind?\r\nGG: But only two people should know about this…You…And…I. No one else. Can’t tell anyone.\r\n@n3auxaxl: Yes of course.\r\nGG: Well, you get what kind of software I’m talking about. But take Conti’s source code as a basis. BlackBasta w\r\n@n3auxaxl: Got it, understood the task\r\nGG then clarifies this development work will include a leak site (blog), admin panel, chat and builder for the\r\nencryption/decryption software. They specifically request the builder be separate from the main server, likely to\r\nprotect the software from rogue affiliates and law enforcement.\r\nHe instructs @n3auxaxl to put aside his other work and focus only on this task. GG then reveals the working\r\nconditions:\r\nGG: You’ll get a percentage from each of our payouts right away. We’ll start with 5% of each amount + $100,000\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 4 of 17\n\nGG then reveals the working conditions with YY, saying “My YY is getting 10% now, but he’s been with us for 3\r\nyears and bought an apartment, a car, launched a few businesses.”\r\nGG re-iterates this project must not be shared with anyone, including NN (“Don’t blab to anyone…..NN - don’t say\r\nanything”). Despite the request for secrecy, GG then takes to a chat on the bestflowers247[.]online Matrix chat to\r\ninform others of his plan:\r\nGG: I talked to the programmer, we’re going to do a rebranding. YY doesn’t need to know this, the programmer th\r\nThe incident and subsequent discussions in the leak reveal how GG, a politically savvy and experienced\r\nransomware operator undercut his fellow Black Basta members to advance his interests in the face of possible\r\noutside threats from domestic security services.\r\nIt’s also a positive sign that law enforcement efforts to disrupt these groups is breeding distrust and paranoia\r\namongst group members forcing them to expend more calories and undermine each other.\r\nExtortion and Negotiation Tactics\r\nBlack Basta is a double extortion group, meaning they encrypt systems and steal data, effectively threatening to\r\nleak it if extortion payments aren’t made. The leaked chats reveal the group’s call script, used to contact the\r\naffected business and pressure them into payment.\r\nThe script is in English, with comments in Russian for how to handle specific scenarios (bolded and translated\r\nbelow):\r\nHello, my name is Eric,\r\nI am calling from the BlackBasta group regarding the recent cybersecurity incident taking place in your company.\r\nIf they connect me:\r\nOur name is BlackBasta Syndicate, and we are the largest, most advanced, and most prolific organized group curre\r\nWe have your data and encrypted your files, but in less than an hour, we can put things back on track: if you pa\r\nWe have been trying to get in contact with your team, but I need to talk to the management directly. This is urg\r\nIf yes:\r\nIf we publish your data, we will not only expose all the ongoing customer and business operations which you are\r\nIf they don’t connect me to management, demand IT or finance instead. As in any scenario, be sure to ask for or\r\nIf they argue that they can’t connect me:\r\nYour management is the best suited to handle this. If you are not connecting me to them, I will be calling them\r\nIf they say they don’t know about the breach:\r\nWe have your data and are ready to publish it. All of it - financial documents, client data, ongoing cases. We b\r\nFinally, the call script outlines a series of instructions mixed with threats ranging from legal action to financial\r\npenalties.\r\nNow I need to convey to you the following seven points:\r\n1. Go back to the chat and begin a proper conversation with us.\r\n2. Do NOT tell us that you cannot pay. We saw your financial records. You CAN pay. You will need to make sacrifi\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 5 of 17\n\n3. Stop taking this situation as a joke and delegating it to a hired negotiator - bring yourself or other partne\r\n4. If you keep ignoring us, we will be calling you and your colleagues directly. We will be calling the supreme\r\n5. We have other means of pressure. Ask your hired negotiators, or do it yourself.\r\n6. There is no way you can shield yourself out of this - you are already in it. Time to recognize this.\r\n7. My management says that they are not trying to threaten or frighten you. This applied pressure is only a resu\r\nThe goal of the call script is to identify a direct line to management, and where possible avoid 3rd party IR or\r\nransom negotiators. The statement about using financial records to determine ransom amount is backed up by\r\nother internal chats.\r\nFor example, in a January 2024 conversation regarding an ongoing extortion negotiation, GG instructs Tinker to\r\nanalyze the victim’s financial data and drop it in the negotiation chat. GG emphasizes that “Everything needs to be\r\nbacked up with solid arguments and clarity” before instructing Tinker to demand a multi-million-dollar ransom\r\nfrom them.\r\nThe chats also show internal deliberations about ransom payment negotiations. The group appears flexible and\r\nwilling to extend deadlines and negotiate payments.\r\nFor victims, having a clear understanding of the scope of the intrusion and subsequent data theft is crucial and\r\nprovide an upper hand in negotiations. Notably, chat logs show GG has the final say on negotiations, further\r\ncementing him as a leader within the group.\r\nInterest in Commercial Cybersecurity and Threat Intelligence Services\r\nThe leaked chats show immense interest in testing capabilities of cybersecurity tools, in particular Endpoint\r\nDetection and Response products. Group members can be seen discussing “EDR Killers” or bypasses, often\r\nlinking to Exploit or XSS forum posts for these services. There are also internal discussions about the\r\neffectiveness of these bypasses in lab tests, indicating the group had contracted or developed these capabilities.\r\nGroup member GG can be seen talking extensively in another chat (talks.icu) with user @Nickolas about a lab\r\nenvironment for testing and training. GG expresses interest in acquiring trial licenses for “Sentinel, Crowd,\r\nSophos, Cisco, Trend Micro” using stolen identities.\r\nIt’s clear that @Nickolas is someone with cybersecurity industry knowledge of defensive tools and threat\r\nintelligence/dark web monitoring services (the pair discuss buying enterprise licenses from one service to augment\r\ntheir credential stuffing attacks).\r\nHe can be seen coaching GG on evolving cybersecurity trends such as Multi-Factor Authentication (MFA)\r\nadoption, EDR and Managed Detection and Response services telling GG “MDR is basically the future trend of\r\nthe cybersecurity industry… For small and medium businesses, it’s the only way to protect against attacks.\"\r\n@Nickolas then suggests exploiting compromised credentials to access networks using remote access services\r\nsuch as VPN.\r\nElsewhere in the chat, members can be seen sharing leaked credentials from infostealers for threat intelligence\r\nservices such as VirusTotal and Censys, indicating interest in monitoring their exposure in such tools.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 6 of 17\n\nEvolving Initial Access Methods Were a Focus, and Headache\r\nIdentification and containment of early-stage ransomware activity is critical to preventing follow-on attacks. The\r\nchats show the group would cast a wide net with their campaigns, then sift through footholds looking for high-value targets. This offers defenders a time window to clean up infected endpoints, compromised accounts etc.\r\nbefore they are activated.\r\nOverall, the chats reveal a multitude of initial access methods in line with observed trends throughout the\r\ntimespan of the leak. These include known exploits, credential stuffing attacks, phishing (including QR code\r\nphishing), vishing (via Microsoft Teams and Zoho voice), email bombing, malicious search advertisements, signed\r\ninstallers, etc.\r\nThere is also evidence of acquiring access from access brokers, which presents more opportunity to identify and\r\ncontain before the keys exchange hands.\r\nOur analysis did not find expansive use of sophisticated TTPs or exploits. However, there is evidence of the group\r\nsought and exploited 0day and Nday vulnerabilities. For example, in June 2024, Symantec published research\r\ndescribing Black Basta exploiting an elevation of privilege (EoP) vulnerability (CVE-2024-26169) in Windows\r\nError Reporting (WER) Service patched by Microsoft in March 2024. Their analysis identified variants of the\r\nexploit tool dating back to February 2024 and December 2023. The leak provides some clues to the group using\r\nvariants of a WER EoP dating back to November 2023:\r\n1. On November 10, 2023, user YY shared file “WER_Research_07062023.exe” followed by discussion on\r\nprivilege elevation. It isn’t clear if YY created the file or acquired it.\r\n2. On December 6, 2023, the file is brought up again in reference to an LPE (Local Privilege Escalation).\r\n3. On February 20 2024, user “Chuck” asks GG about his exploit for \"Windows win32kbase.sys insecure call\r\nto werkernel.sys elevation of privileges vulnerability” and whether he got it from “vulns-rock”.\r\n4. In May 2024 when CVE-2024-26169 was disclosed by Microsoft, YY links the MSRC page in refence to\r\nfile \"WER_Kernel.exe\" and tells the group “It operates the same way as other WER_FAULT vulnerabilities\r\n(we had two other similar ones)”. GG clarifies to YY the exploit was created by the “same programmer”\r\n(likely referring to a WER EoP exploit already in their possession). \r\nElsewhere in the leak, members such as GG commonly shared exploit listings from a correspondent “zdays”, such\r\nas this Ivanti Connect Secure RCE listing priced at $200,000:\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 7 of 17\n\nThe listing appears similar to those shared on 0day [.]today exploit market. It’s not clear whether the group\r\npurchased the exploit in this case, however it’s one example of multiple such listings shared in the chat.\r\nThis collaboration between group members and outside advisors/vendors is often what allowed the group to adapt\r\nto the changing landscape and operationalize emerging tradecraft and exploits sold on forums or shared publicly\r\nby offensive security researchers.\r\nOne example of this evolution can be found with the groups use of Microsoft Teams. In the fall of 2023, the group\r\nbegan exploring the use of Teams for phishing, specifically delivering payloads such as DarkGate.\r\nThey quickly operationalized the idea using TeamsPhisher and TeamsEnum to identify and target accounts. In\r\nspring 2024 the tactic evolves to focus on vishing, perhaps inspired by user @nickolas, a collaborator often used\r\nby GG in the talks[.]icu chat.\r\n@nickolas: … I was looking yesterday - looking, probably Teams is a pretty good vector for phishing and vishin\r\nGG: I worked Teams a year ago. I was spamming them too. But I didn’t call.\r\n@nickolas: Try it. With Teams, you can also create an account like an IT admin. An admin calls him… And starts\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 8 of 17\n\nThe group also appeared to have invested heavily into vishing operations in early 2024, likely focused on email\r\nbombing. Email bombing is a technique in which a target is bombarded with spam emails then contacted via\r\nphone call by a threat actor impersonating IT staff.\r\nThe victim is subsequently coerced into installing remote access software effectively turning their system into a\r\nbeach head. In May 2024 GG shared Rapid 7’s analysis of Black Basta’s email bombing campaigns and\r\nregrettably acknowledged their work had been identified already.\r\nOutsourcing Call Operations\r\nThe matrix chat “colorado[.]su” (see Urlscan.io report) included in the leaks offers a glimpse into how the vishing\r\nattacks were operationalized. Calls were outsourced to at least two individuals who were instructed to work\r\nthrough a call sheet and impersonate IT staff for 50 cents a call using VOIP services such as Zoho Voice:\r\nManager361: The first block contains information about the company. The second block lists IT specialists who w\r\nNurnazarov: No, I haven't called them.\r\nManager361: *redacted company info*\r\nManager361: I'll tell you when to call.\r\nNurnazarov: Ok.\r\nManager361: Call the first one at 25 minutes.\r\nNurnazarov: Got it.\r\nManager361: Call.\r\nNurnazarov: K*** hung up.\r\nManager880: Unavailable?\r\nNurnazarov: \"No, I talked to her. After asking about the computer, whether everything was working fine. She hung\r\nManager880: We heard it. Well, that happens.\r\nNurnazarov: I was supposed to introduce myself as an employee of ******** right?\r\nManager361: Yes. IT department.\r\nThe handlers provided targets using Google sheets and instructed to record the outcome of the call using an inline\r\ncomment while following a call script provided by their handlers.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 9 of 17\n\nThe goal of these phone calls isn’t fully clear, but it was likely done to validate active phone numbers and in\r\ncertain cases conduct social engineering scams in furtherance of email bombing and similar techniques designed\r\nto install remote access tools.\r\nBesides outsourcing labor-intensive efforts like vishing, the group made use of contacts and underground service\r\nfor maintaining operational agility and efficacy.\r\nUnderground Connections: Build vs. Buy\r\nThe leaked chats make it clear Black Basta operators routinely use or were inspired by cybercrime-as-a-service\r\nofferings on underground forums and Telegram. Members can be seen sharing various underground services from\r\nmalware, loaders, exploits, credential lists, spam lists and initial access auctions. It’s clear underground buys went\r\nthrough GG, who did some basic vetting and testing of samples before authorizing any deals.\r\nAnalysis of the chats shows several Malware-as-a-Service (MaaS) families were employed by the group,\r\nincluding DarkGate, PikaBot, Meduza, Lumma and others. For example, in October 2023 GG discusses\r\noperationalizing RastaFarEye’s DarkGate loader:\r\nGG:\r\nThere’s a very cool loader for targeted loading\r\nIt’s DarkGate\r\nWe’ve got a license paid for 3 months\r\nLater, in November 2023 “W” approaches GG with a new stealer they found on Exploit:\r\nW: Looks like I found a new stealer.\r\nGG: Which one?\r\nW: hxxps://forum[.]exploit[.]in/topic/226619/?tab=comments#comment-1400316 (Meduza Stealer). Lifetime $1199.\r\nGG: Good, then take payment details and we’ll start the work.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 10 of 17\n\nIn other cases, group members can be seen debating whether to purchase services vs build their own. In late 2023,\r\ngroup members debated paying the steep cost of BatLoader or FakeBat’s monthly rental (~$5000) for signed\r\nloaders, and considered how they could acquire certificates and do it themselves (“Maybe we should test it\r\n[FakeBat]”).\r\nThis is weighed against the cost of extended validation certificates GG purchased from an unnamed source (“2\r\nfrom SSL (cloud ones), 1 from Global in a file”) for 4 or 5 thousand dollars each. In another situation, group\r\nmembers were frustrated with a credential list they were using for attacks. They discussed building a database and\r\nspending time to improve the quality of the list before deciding to purchase a new dataset from an underground\r\nforum for several thousand dollars.\r\nGroup members were keenly aware of the latest trends and capabilities and re-invested extorted funds into R\u0026D\r\nor capabilities from cybercrime-as-a-service vendors. The table below contains a non-exhaustive list of these\r\nmentions.\r\nNotable Underground Forum and Telegram Mentions\r\nThread Title Note\r\nxss[.]is/threads/111413/ Sentinel One Neutralizer and more EDR bypass.\r\nxss[.]is/threads/104180/ Domain Admin, USA, ~1k hosts via AD Access Broker Auction\r\nxss[.]is/threads/107819/ Virustotal enterprise (VT)\r\nSelling access to\r\nenterprise Threat\r\nIntelligence platform.\r\nxss[.]is/threads/115537/\r\nDomains from $1 In one click! | Auto-connection SSL (CloudFlare) | Monitoring on\r\nCT\r\nInfrastructure services.\r\nexploit[.]in/topic/165990/ Bulletproof Servers for a wide range of tasks Infrastructure Services.\r\nexploit[.]in/topic/202662/ Windows Secure-Websocket HVNC\r\nHVNC product from\r\nRastaFarEye\r\n(DarkGate).\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 11 of 17\n\nexploit[.]in/topic/205970/?\r\nLoader for Google/Bing Ads, in .EXE or .MSIX\r\nformat with Smart Screen/Windows\r\nDefender/Chrome bypass + Trojan DanaBot\r\nHVNC, Stealer.\r\nBatLoader main thread\r\nby Afron.\r\nexploit[.]in/topic/217478/\r\n[RENT] Loader v2.0 - bypass WinDef and\r\nGoogle Alerts + RunPE Nativ\\ [RENT] Loader -\r\nbypasses WinDef and Google Alerts\r\nFakeBat main thread by\r\nEugenFest.\r\nexploit[.]in/topic/220755/\r\nLummaC2 - Stealer, 75-80% knockout, tool for\r\nprofessionals\r\nLummaC2 stealer\r\nthread by Shamel.\r\nexploit[.]in/topic/226619/ Meduza Stealer\r\nMeduza Stealer thread\r\nby MeduzaCorp\r\nexploit[.]in/topic/230608/\r\nMatanbuchus [SERVICE] Private crypt +\r\nprivate droppers + exe conversion.\r\nMatanbuchus thread by\r\nBelialDemon.\r\nexploit[.]in/topic/232123/ Canada RDP corp 20.2$M insurance Access Auction.\r\nt[.]me/evtokens N/A\r\nRastaFarEye\r\n(DarkGate)\r\nt[.]me/Crypt4U_bot\r\nt[.]me/Mavr_MMM\r\nN/A\r\nD3F@ck Loader related\r\nTelegram channels/bots.\r\nt[.]me/payk_w\r\nt[.]me/spektr234\r\nN/A\r\nFakeBat related\r\nTelegram channels.\r\nt[.]me/werbeergroup N/A\r\nMail/pass combo list for\r\nsale.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 12 of 17\n\nt[.]me/evil_proxy N/A EvilProxy PhaaS\r\nIt’s worth noting that the group extensively shared open-source projects, tools and proof-of-concept code available\r\non sources such as GitHub. In several instances members were chastised for purchasing capabilities from\r\nunderground forums which were simply wrappers around publicly available exploit PoC or offensive tools.\r\nThe takeaway is this: offensive capacities in the public sphere/underground will be adapted by adversaries.\r\nAs defenders we need to be more agile than our adversaries in operationalizing countermeasures to limit\r\nthe success of our adversaries. \r\nBlack Basta's AI Experiment: Interest, Frustration, and Practical Application\r\nBlack Basta members displayed a notable interest in leveraging AI tools for malicious activities, as revealed in\r\ntheir discussions within the chat logs. Initial conversations involved exploring \"WormGPT,\" an uncensored\r\nalternative to ChatGPT, with NN expressing a desire to access it. Members like GG actively shared links related to\r\nChatGPT and its applications, including articles about WormGPT, such as the one from `vc[.]ru`\r\n(hxxps://vc[.]ru/chatgpt/761733-wormgpt-alternativa-chatgpt-bez-eticheskih-granic-i-ogranicheniy), and also\r\nsuggested searching on forums to find ways to acquire it.\r\nFurthermore, Ugway shared resources related to phishing using ChatGPT and the \"hackergpt[.]chat\" platform\r\n(hxxps://www[.]hackergpt[.]chat/ru). Member Lapa also highlighted ChatGPT's search popularity\r\n(hxxps://explodingtopics[.]com/blog/top-google-searches), indicating a general awareness of its widespread use\r\nand potential.\r\nElsewhere in May of 2024, member Tinker explains to GG that he uses LinkedIn to gather targets for spam and\r\nvishing. He indicates he’ll use it to automate the process at some point using ChatGPT:\r\nTinker: LinkedIn…the main one. Plus, all the other databases I got for spam…from other affiliate networks. An\r\nDespite exploring these tools, their practical adoption appears varied. While NN sought advice on PowerShell\r\nscripts, they also expressed frustration with ChatGPT access suggesting challenges or obstacles in utilizing the AI\r\nfor some tasks.\r\nIn line with this, Ugway also noted GPTchat went crazy in one conversation. However, there is a notable instance\r\nof practical application: NN successfully used ChatGPT to quickly generate a plausible \"fake letter\" after\r\naccidentally opening a chat on a connected computer, effectively calming the panicked individual with the AI-generated technical jargon.\r\nThis highlights the potential for AI to be used for social engineering and deception within their operations. The\r\nchat logs suggest a strategic interest in integrating AI into their toolkit, but the extent of their usage is influenced\r\nby factors such as access, knowledge, and the availability of alternative methods.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 13 of 17\n\nClosing Thoughts and Recommendations from eSentire’s Threat Response Unit\r\n(TRU)\r\nThe leaked Black Basta chats offer a rare glimpse into the inner workings of a major ransomware operation. This\r\nblog scratches the surface, there are still many insights and leads for researchers and law enforcement to dig into.\r\nBut how should we think about this as network defenders? One of the biggest takeaways from the leak is the\r\nagility with which the group operationalizes new tradecraft.\r\nMembers are actively scouring forums and open-source cybersecurity research for new techniques before adopting\r\nit themselves or purchasing the capability from partners/vendors.\r\nBy and large, the group appeared to exploit low-hanging fruit risks and increasingly focused on social engineering\r\ntechniques towards the end of the leak.\r\nIn eSentire’s 2024 Year in Review, 2025 Threat Outlook Report, we highlighted many of these same trends\r\nobserved across the threat landscape, how we disrupted them and key recommendations for reducing risk. An\r\nexcerpt of these recommendations can be found below.\r\nDefending Against Initial Access Vectors\r\nPhishing and Security Awareness Training (PSAT): Adopt a PSAT program around browser-based\r\nattacks, including social engineering tactics. The training should include exposure to real-world examples,\r\nsuch as:\r\nPikabot– Malvertising, Especially with Google Ads\r\nLumma Stealer, FakeBat - Fake Updates\r\nRATS and Infostealers – Free Software / Software Bundles\r\nAdvanced Persistent Threats - Fake Job Postings\r\nEndpoint Coverage: Ensure good endpoint coverage with Endpoint Detection and Response (EDR) tools\r\nto catch User Execution before initial access malware evolves into an intrusion foothold.\r\nNetwork Coverages: Ensure good network coverage with Network Detection and Response (NDR)\r\nsolutions to cover Remote Exploitation.\r\nLog Coverage: Exploitation of services run on http servers (like Windows IIS and SSL VPNs) can only be\r\ndetected with proper logging of the relevant server software.\r\nPatch Prioritization: Know your inventory and prioritize actively exploited vulnerabilities that overlap\r\nwith your tech stack with a comprehensive Managed Vulnerability Service program.\r\nDefending Against Intrusion Actions\r\nZero Trust: Practice zero trust using an internal fire wall to impair Lateral Movement. To maintain\r\nproductivity, make applying for and getting access opened between machines easy.\r\nMinimum Permissions: To impair Privilege Escalation, start all users with the lowest privileges and\r\nrequire access requests as needed. Ensure an expiration method for access and ensure old accounts are\r\nbeing cleaned up.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 14 of 17\n\nEndpoint Coverage: To impair Defense Evasion, ensure endpoint coverage on domain controllers,\r\nworkstations, and servers – anything that can be used as a staging ground for hands-on intruders. Intruders\r\nwill intentionally use out-of-scope endpoints as staging grounds.\r\nNetwork Coverage: Ensure internal-to-internal traffic is monitored and configured to alert on signs of\r\nlateral movement, credential collection, and command \u0026 control beaconing.\r\nLog Coverage: Attackers are more frequently practicing BYOVM – Bring Your Own Virtual Machine in\r\nwhich they register their own machine on the network leveraging valid credentials and hiding in the VPN\r\npool. Because VPN software does not support endpoint monitoring agents, detection and investigation\r\nrequire VPN logging.\r\nRecommendations to Build Resilience Against Ransomware Attacks\r\nAnticipate: Ensure you are continuously assessing, and understanding, your risk exposure and remaining\r\nvigilant against sophisticated ransomware threats. Be aware of the risk of cyberattacks, hands-on intruders,\r\nand the capability of ransomware groups to lock down systems and leverage stolen data for extortion.\r\nWithstand: Be able to quickly investigate – and react to – an ongoing intrusion, leveraging security\r\ntelemetry to minimize damage. You should also have alternate processes in place in case critical systems\r\nare down.\r\nRecover: Have backups for critical and sensitive systems, processes in place to gracefully transition off\r\nbackup systems, and keep backup systems in a ready state. Be ready to rebuild domain controllers and\r\nservers.\r\nAdapt: Monitor the threat landscape, understand how risks evolve with technology, and reduce\r\nunnecessary risks. \r\n \r\nTo learn how eSentire Next Level MDR can help you build resilience against sophisticated ransomware threats,\r\nconnect with an eSentire Security Specialist now.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 15 of 17\n\nGET STARTED\r\nABOUT THE AUTHOR\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 16 of 17\n\nSpence Hutchinson Senior Manager, Threat Intelligence Research\r\nAs part of the broader Threat Response Unit, Spence is responsible for monitoring the evolving threat landscape\r\nand collaborating with TRU members to respond to ongoing threats. Throughout his tenure at eSentire, he has\r\nprogressed through various analytical, training, and leadership roles, bringing extensive experience in threat\r\nresearch and security operations to the organization.\r\nSource: https://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nhttps://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks"
	],
	"report_names": [
		"initial-takeaways-from-the-black-basta-chat-leaks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791330,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a9850004e3d2b771d2d40881c31475e033a0d58.pdf",
		"text": "https://archive.orkl.eu/9a9850004e3d2b771d2d40881c31475e033a0d58.txt",
		"img": "https://archive.orkl.eu/9a9850004e3d2b771d2d40881c31475e033a0d58.jpg"
	}
}