Full Report
On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the...
Analysis Summary
# Threat Actor: Black Basta
## Attribution & Identity
**Primary Identity:** Black Basta, a Ransomware-as-a-Service (RaaS) group established around April 2022.
**Leadership/Attribution:** Founded and controlled by Conti Team 3, also known as Tramp’s team.
**Leader Alias/Identity:** Tramp, who uses aliases 'gg' and 'aa' in internal communications.
**Likely Real Identity:** Oleg Nefedov, a 35-year-old Russian citizen from Yoshkar-Ola.
**Associated Groups:** Successor/evolution of Conti RaaS operations.
## Activity Summary
Black Basta is a RaaS operation that emerged in April 2022.
The group has reportedly attacked over 500 organizations globally.
Since January 2025, no new victims have been reported, and the group's leak site is down, suggesting internal dislocation or conflict.
The activity summary is based on analyzing a large leak of internal chat logs (September 18, 2023, to September 28, 2024), released by an unknown entity named 'ExploitWhispers' due to internal disputes (specifically targeting Russian banks).
The group reportedly received over $100 million in ransom payments by November 2023.
## Tactics, Techniques & Procedures
- **Organizational Structure:** Highly structured, hierarchical organization with at least two physical offices (likely Moscow area). Employed specialized personnel for infrastructure, initial access, malware/C2 obfuscation, development, and negotiations.
- **Operational Model:** A distinct split between core employees working under direct supervision and independent affiliates/pentesters (often former associates from Conti, using distinct internal methodologies).
- **C2/Infrastructure Management:** Periodically changed Matrix servers for operational security (OSPEC). Migrated chat servers in September 2024 following the brief arrest and near-extradition of the leader in Armenia (June 2024).
- **Purchasing Services:** Active on Russian-language cybercrime forums (XSS, Exploit, RAMP) to procure services like crypting (payload obfuscation), hosting, spam campaigns, exploits, and initial access.
- **Infrastructure Use:** Utilized legitimate providers (like Hetzner) through third-party resellers accepting cryptocurrency for hosting leak sites and admin panels. Employed bulletproof hosting (BPH) services (e.g., offered by 'gerry') marginally for Cobalt Strike C2 deployment, preferring offshore/grey hosting companies for rotation and obfuscation. Used fast-flux capabilities behind BPH for hiding real IP addresses.
- **Malware/Tools:** Utilized Cobalt Strike for command and control and lateral movement post-exploitation.
## Targeting
**Sectors:** Healthcare, manufacturing, and utilities.
**Geography:** Worldwide (500+ organizations).
**Victims:** Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall.
**Note on Conflict:** ExploitWhispers accused Black Basta of "crossing a red line" by targeting Russian banks.
## Tools & Infrastructure
- **Malware Families Used:** Cobalt Strike (used for C2).
- **Infrastructure:**
- Primary hosting for leak sites/admin panels/chat services: Legitimate providers like Hetzner (acquired via cryptocurrency resellers).
- Bulletproof/Abuse-Resistant Hosting: Used for Cobalt Strike and fast-flux; services mentioned include 'Gerry' (Abkhaz hosting).
- C2 Obfuscation: Relied heavily on server rotation and third-party resellers rather than exclusive reliance on BPH.
## Implications
The chat leak provides an extensive look into the internal workings, financial success, leadership structure, and operational security practices (like infrastructure rotation and forum purchasing habits) of a major RaaS operation. The internal strife suggests potential instability or organizational fragmentation, which could represent a temporary lapse in operational capability or a pivot for the leadership/affiliates.
## Mitigations
- **Monitor Cybercrime Forums:** Track known aliases and TTPs discussed on forums like XSS, Exploit, and RAMP to gain insight into current affiliate operations.
- **Infrastructure Inspection:** Scrutinize hosting providers commonly used by cybercriminals (even legitimate ones using resellers) for rapid server cycling or unusual deployment patterns.
- **Defend Against Cobalt Strike:** Implement robust detection and monitoring for Cobalt Strike beacons, C2 traffic, and payloads, especially against known obfuscation techniques.
- **Supply Chain:** Be aware that affiliates often possess prior experience from groups like Conti.