The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities.
The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month.
According to an analysis of the messages by cybersecurity company Trellix, Black Basta’s alleged leader Oleg Nefedov (aka GG or AA) may have received help from Russian officials following his arrest in Yerevan, Armenia, in June 2024, allowing him to escape three days later.
In the messages, GG claimed that he contacted high-ranking officials to pass through a “green corridor” and facilitate the extraction.
“This knowledge from chat leaks makes it difficult for the Black Basta gang to completely abandon the way they operate and start a new RaaS from scratch without a reference to their previous activities,” Trellix researchers Jambul Tologonov and John Fokker said.
Among other notable findings include –
- The group likely has two offices in Moscow
- The group utilizes OpenAI ChatGPT for composing fraudulent formal letters in English, paraphrasing text, rewriting C#-based malware in Python, debugging code, and collecting victim data
- Some members of the group overlap with other ransomware operations like Rhysida and CACTUS
- The developer of PikaBot is a Ukrainian national who goes by the online alias mecor (aka n3auxaxl) and that it took Black Basta a year to develop the malware loader post QakBot’s disruption
- The group rented DarkGate from Rastafareye and used Lumma Stealer to steal credentials as well as drop additional malware
- The group developed a post-exploitation command-and-control (C2) framework called Breaker to establish persistence, evade detection, and maintain access across network systems
- GG worked with mecor on new ransomware that’s derived from Conti’s source code, leading to the release of a prototype written in C, indicating a possible rebranding effort
The development comes as EclecticIQ revealed Black Basta’s work on a brute-forcing framework dubbed BRUTED that’s designed to perform automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.
There is evidence to suggest that the cybercrime crew has been using the PHP-based platform since 2023 to perform large-scale credential-stuffing and brute-force attacks on target devices, allowing the threat actors to gain visibility into victim networks.
“BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations,” security researcher Arda Büyükkaya said.
“Internal communications reveal that Black Basta has heavily invested in the BRUTED framework, enabling rapid internet scans for edge network appliances and large-scale credential stuffing to target weak passwords.”
