Full Report
The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities. The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month. According to an analysis of the messages by cybersecurity company
Analysis Summary
# Threat Actor: Black Basta Ransomware Operation
## Attribution & Identity
* **Primary Identification:** Black Basta ransomware operation.
* **Alleged Leader/Key Figure:** Oleg Nefedov (Online aliases: GG or AA).
* **Associated Groups/Overlap:** Potential operational overlap with Rhysida and CACTUS ransomware groups.
* **Known Infrastructure Detail:** Group likely maintains two offices in Moscow.
* **Geopolitical Context:** Internal chats suggest potential assistance from Russian officials following the arrest of the leader in Armenia.
## Activity Summary
* The analysis is based on a leaked trove of internal chat logs spanning September 2023 to September 2024, published by Telegram user @ExploitWhispers.
* The leader, GG, was reportedly arrested in Yerevan, Armenia, in June 2024 but escaped three days later, claiming high-ranking officials provided a "green corridor."
* The group has been working on a new ransomware prototype derived from Conti source code, developed in collaboration between GG and the developer 'mecor', suggesting a possible rebranding effort.
* They are actively developing a brute-forcing framework named BRUTED, designed for automated internet scanning and credential stuffing against edge network devices (firewalls, VPNs).
## Tactics, Techniques & Procedures
* **Code Reuse/Development:** Developing new ransomware derived from Conti source code.
* **Initial Access/Loader Development:** Developed a malware loader over one year, following the disruption of QakBot.
* **Malware Usage:** Rented and utilized the **DarkGate** malware (from actor 'Rastafareye').
* **Credential Theft:** Used **Lumma Stealer** to harvest credentials.
* **Command and Control (C2):** Developed a post-exploitation C2 framework named **Breaker** for persistence, evasion, and maintaining access.
* **Automation/Scanning:** Developing the **BRUTED** framework for automated credential stuffing against edge devices.
* **Operational Use of AI:** Utilizing OpenAI ChatGPT for various tasks, including:
* Composing fraudulent formal letters in English.
* Paraphrasing text.
* Rewriting C#-based malware into Python.
* Debugging code and collecting victim data.
* **Developer Overlap:** The developer of PikaBot (Ukrainian national using alias mecor/n3auxaxl) collaborated with GG on new ransomware.
## Targeting
* **Sectors:** Undisclosed, but operations target general corporate networks utilizing edge devices (firewalls, VPNs).
* **Geography:** Implied Russian base of operations (Moscow offices). The leader's arrest occurred in Armenia.
* **Victims:** General corporate networks targeted via edge device compromise indicated by BRUTED framework description.
## Tools & Infrastructure
* **Malware Families Used:** DarkGate (rented), Lumma Stealer, PikaBot (developer collaborated), potential new Conti-derived ransomware.
* **Custom Tools:** Breaker (Post-exploitation C2 framework), BRUTED (Brute-forcing framework).
* **Infrastructure (C2/Hosting):** Renting DarkGate capabilities from Rastafareye. Implied presence of two offices in Moscow.
* **Defanged URLs/IPs:** None explicitly listed in the provided text snippet that require defanging (e.g., no C2 domains or IPs provided directly).
## Implications
The leaked chats provide high-fidelity insight into the group's internal development pipeline, reliance on AI tools (ChatGPT), and potential state-level interference following law enforcement action. The demonstrated cooperation between ransomware actors (Black Basta, Rhysida, CACTUS links) and the continued development on Conti lineage suggest resilience and a willingness to rebrand or evolve rapidly, despite leadership interference.
## Mitigations
* **Monitor Edge Device Security:** Deploy enhanced monitoring and protection (e.g., rate limiting, strong authentication) on firewalls and VPN solutions susceptible to brute-forcing (relevant to BRUTED development).
* **Network Segmentation and C2 Evasion Tactics:** Focus on detecting post-exploitation persistence mechanisms indicative of custom C2 frameworks like Breaker.
* **Supply Chain Integrity:** Be aware of potential infiltration vectors involving developers with known associations to other major ransomware strains (Conti, PikaBot developer collaboration).