Full Report
The Black Basta ransomware group has fallen off dramatically in 2025, and chat logs leaked recently show that internal squabbling may be behind the group’s slowed activity. Cyble threat intelligence researchers documented 189 Black Basta victims in 2024. Nearly two months into 2025, that number has fallen to eight. Two weeks ago, a Telegram user who goes by ExploitWhispers leaked the group’s chat logs, which revealed infighting and disagreement over targets among Black Basta members. What might be more useful, however, is an examination of what the chat logs tell us about Black Basta TTPs (tactics, techniques and procedures). So we queried a ChatGPT instance set up by security researchers to examine the Black Basta data, which includes nearly 200,000 chat messages sent between September 2023 and September 2024, to glean indicators of compromise (IoCs), TTPs and more. The chat logs appear to include new information on the group beyond what had previously been reported by CISA and others, including newer vulnerabilities under discussion by group members. Black Basta first appeared in April 2022, likely formed by former members of the Conti and REvil ransomware groups, and Cyble has since documented 528 victims of the group. Black Basta TTPs Revealed by Leaked Chat Logs According to the chat logs, Black Basta favors compromised remote access points for initial access, such as use of Remote Desktop Protocol (RDP) and VPN credentials. Malicious scripts follow, including use of VBS (Visual Basic Script) files to execute malicious payloads, and command execution via rundll32.exe, a common method for running DLL-based payloads. File names such as drs1312_signed.zip suggest the use of digitally signed executables to evade detection. Numerous discussions about ESXi hypervisor vulnerabilities included mentions of systems allowing default passwords, and several leaked login credentials for various services suggest that the group employs credential stuffing, brute force, and/or phishing tactics. Command and Control (C2) is established by SOCKS proxy servers and SSH command execution, with rotating domains for malware downloads and C2 communication. Black Basta also uses obfuscation and encryption techniques, with group members discussing antivirus (AV) evasion tactics, and files like e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip indicate whole-system encryption tactics. Discussions also mentioned custom-built AV/EDR disablers, and Qakbot trojan evasion, injection and persistence mechanisms. The group used Cobalt Strike with multiple modifications, including a custom-built Artifact Kit for modifying Cobalt Strike payloads, the Elevate Kit to integrate privilege escalation exploits, the Sleep Mask Kit for memory obfuscation and AV evasion, and the Mutator Kit to modify compiled binaries. Mimikatz is another frequently used tool. Members have also spoofed IT calls, posing as IT support to obtain access and bypass security. Vulnerabilities Targeted by Black Basta The chat logs contain a long list of vulnerabilities under discussion by Black Basta members, ranging from Linux and Windows vulnerabilities to network devices, open source frameworks, IT tools and more, and in some cases the group appears to have chained vulnerabilities together. Specific CVEs targeted by Black Basta include: CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability CVE-2021-44228: The Log4j “Log4Shell” vulnerability CVE-2022-22965: Spring Framework “Spring4Shell” vulnerability CVE-2022-1388: F5 BIG-IP REST authentication vulnerability CVE-2022-0609: Use after free vulnerability in Animation in Google Chrome CVE-2017-11882: Microsoft Office memory corruption vulnerability CVE-2022-41082 and CVE-2022-41040: the Microsoft Exchange “ProxyNotShell” vulnerabilities CVE-2022-27925 and CVE-2022-41352: Zimbra Collaboration vulnerabilities that were used together to gain access and execute a reverse shell CVE-2022-26134: Atlassian Confluence RCE vulnerability CVE-2022-30525: Zyxel RCE vulnerability More recent vulnerabilities under discussion by the group have included: CVE-2024-21762: Fortinet FortiOS RCE CVE-2024-3400: GlobalProtect RCE in Palo Alto Networks PAN-OS CVE-2024-1709: ConnectWise ScreenConnect RCE CVE-2024-26169: Windows Error Reporting Service elevation of privilege vulnerability CVE-2024-23897: A Jenkins CI/CD pipeline vulnerability CVE-2024-1086: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component Black Basta File Hashes and Indicators of Compromise (IoCs) From ransomware files and malware samples to C2 IPs, domains, and compromised credentials, the chat logs also revealed a range of Black Basta indicators of compromise (IoCs). Ransomware files include: e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip zip CVE-2022-27925-zimbra_Revshell.zip (a backdoored Zimbra exploit) Black Basta has been associated with various malware families, including RemcosRAT, AgentTesla, FormBook, and GuLoader. File hashes from shared malware samples include: Remcos RAT: c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e Agent Tesla: 50d414576bf441cca754e6e3b96dabdf35fed443ecb98f865dc89e623bc2f0e9 Formbook: e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a GuLoader: 5a2f52bb90ed8a2fd9bc0e07937684ac9b9389cdd112760f8dc96e16aa63d513 IP addresses used by the group for botnet communication, command-and-control (C2), and proxies have included: 214.25.250 8.18.230 161.27.152 98.80.158 60.149.244 227.252.244 238.181.250 118.36.203 60.149.241 165.16.55 57.243.97 (used for shell, SOCKS, FTP) 253.64.241 (used in UK-based attacks) The Biggest Ransomware Group Leak Since Conti The Black Basta chat log leak is likely the biggest leak to hit a ransomware group since Black Basta predecessor Conti was hit by a source code leak in 2022. So while the infighting is certainly entertaining and sheds light on the group’s dynamics, the many tactical details revealed provide a rich data source for threat intelligence researchers and security teams whose job is to stop and respond to threats from Black Basta and others who may adopt its tactics.
Analysis Summary
# Tool/Technique: Black Basta Ransomware Operations
## Overview
The information summarizes the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) exposed through a leak of Black Basta's internal chat logs. Black Basta is a Ransomware-as-a-Service (RaaS) operation known for encrypting targets and has been associated with using various common malware strains for initial access and compromise.
## Technical Details
- Type: Malware Family/Ransomware Operation
- Platform: Windows (Inferred, as these are typical ransomware targets)
- Capabilities: Data encryption, likely leveraging known malware for initial compromise and establishing persistence/lateral movement.
- First Seen: Information not explicitly provided in the context, but related to the Conti successor lineage.
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on the known use of the associated malware families.*
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (Via RATs/Loaders)
- **TA0005 - Defense Evasion**
- T1204 - User Execution (Likely via phishing delivering malware)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Inferred for internal network spreading)
## Functionality
### Core Capabilities
- Ransomware deployment leading to data encryption.
- Utilization of stolen or known RATs/Loaders for initial intrusion and establishing command and control.
### Advanced Features
- The context highlights the operational structure and TTPs revealed via the chat logs, suggesting a mature, organized RaaS approach similar to its predecessor, Conti.
- Use of multiple established malware families for different stages of the attack lifecycle.
## Indicators of Compromise
- File Hashes:
- Black Basta Ransomware sample zip: `e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip`
- Zimbra RevShell exploit sample: `CVE-2022-27925-zimbra_Revshell.zip`
- Remcos RAT sample: `c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e`
- Agent Tesla sample: `50d414576bf441cca754e6e3b96dabdf35fed443ecb98f865dc89e623bc2f0e9`
- FormBook sample: `e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a`
- GuLoader sample: `5a2f52bb90ed8a2fd9bc0e07937684ac9b9389cdd112760f8dc96e16aa63d513`
- File Names: `e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip`
- Registry Keys: Not specified.
- Network Indicators:
- C2/Proxy IPs: `214[.]25[.]250`, `8[.]18[.]230`, `161[.]27[.]152`, `98[.]80[.]158`, `60[.]149[.]244`, `227[.]252[.]244`, `238[.]181[.]250`, `118[.]36[.]203`, `60[.]149[.]241`, `165[.]16[.]55`
- Specialized C2 IP (Shell, SOCKS, FTP): `57[.]243[.]97`
- UK-based Attack IP: `253[.]64[.]241`
- Behavioral Indicators: Use of legitimate remote access tools (inferred via RAT usage), data exfiltration (implied by ransomware methodology).
## Associated Threat Actors
- Black Basta (The primary group utilizing these tactics and derived tooling).
- Potentially affiliated groups that may adopt tactics post-leak, given Black Basta's lineage from Conti.
## Detection Methods
- Signature-based detection against the provided file hashes.
- Detection of the associated malware families: RemcosRAT, AgentTesla, FormBook, and GuLoader.
- Network monitoring for connections to the listed C2/proxy IP addresses.
## Mitigation Strategies
- Patching and securing systems against vulnerabilities exploited (e.g., CVE-2022-27925 related to Zimbra if that vector is used).
- Implementing robust endpoint detection and response (EDR) capable of detecting the behaviors associated with RATs and ransomware deployment.
- Network segmentation and strict egress filtering to identify command-and-control traffic.
## Related Tools/Techniques
- **Malware Families Used:** RemcosRAT, AgentTesla, FormBook, GuLoader (operating as loaders/information stealers/backdoors).
- **Predecessor/Related Group:** Conti (Black Basta is viewed as a successor group).
- **Vulnerability Exploitation:** CVE-2022-27925 (Zimbra vulnerability used to deploy a backdoored shell).