Full Report
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. The key focuses this month are on the threat groups Black Basta and M_A_G_A, plus plenty more observed highlights from the team. Here’s what you […] The post Threat Context monthly: Executive intelligence briefing for February 2025 – Black Basta & M_A_G_A appeared first on Outpost24.
Analysis Summary
# Threat Actor: Black Basta Group
## Attribution & Identity
* **Identification:** Russian-speaking ransomware group.
* **Aliases/Associated Groups:** Leader "Tramp" is also tracked as "TA577," and is considered a likely founding member following the 2022 Conti ransomware group fallout. A core member "Bio" was a long-time associate of the leader from the defunct Conti ransomware group. Linked to the "Qakbot group" via member "Cortes."
* **Key Personnel Identified:**
* "Tramp" (Leader/Mastermind, tracked as TA577).
* "Bio" (Second-in-command, Chief Administrator, expertise in cryptocurrency handling/laundering, sidelined mid-2024).
* "Lapa" (Core Administrator, responsible for coordinating attacks and testing tools).
* "Cortes" (Associated with Qakbot group).
* "Nur" (Social Engineer).
* "Dispossesor" (Attempted to join).
* **Structure:** Core team of approximately 5 to 10 individuals, with around 50 user aliases observed in leaked logs.
## Activity Summary
* **Inception:** Active since April 2022.
* **Business Model:** Operates under the Ransomware-as-a-Service (RaaS) model, employing double-extortion techniques.
* **Scale:** Highly prolific, publishing over 450 victims on its Data Leak Site (DLS) since inception. Estimated to have collected over US$ 100 million in ransomware payments between 2022 and 2023.
* **Recent Events:** Internal chat logs (196,045 messages covering Sept 2023 to Sept 2024) were publicly leaked on February 11, 2025, by a user named "ExploitWhispers." The leak revealed internal issues, relationships, and evolving TTPs. The group reportedly began a decline after lead administrator "Bio" was sidelined due to law enforcement interaction in mid-2024.
## Tactics, Techniques & Procedures
* **Extortion:** Follows the double-extortion technique.
* **Initial Access:** Strong interest in utilizing VPN exploits for initial access; was willing to pay up to US$ 200,000 for Ivanti 0-days.
* **Operational Security:** Improved techniques by including social engineering experts.
* **Target Selection:** Maintains a spreadsheet detailing specific individuals of interest within targeted organizations.
* **TTP Evolution:** Constantly improves techniques by learning from other groups.
* **Internal Dynamics:** Showed mistrust towards the LockBit group.
* *No specific MITRE ATT&CK IDs were mentioned in the source material.*
## Targeting
* **Sectors:** Defense, manufacturing, finance, industrial manufacturers, and energy.
* **Geography:** Global scope (implied by targeting "global companies").
* **Victims:** Over 450 victims published on their DLS.
## Tools & Infrastructure
* **Malware Families Used:** Homonymous "Black Basta" ransomware.
* **Infrastructure/Assets:** Observed discussions regarding internal chat logs hosted on the Matrix messaging application.
* **Financial Tools:** Member "Bio" specialized in cryptocurrency handling, laundering, using mixers/exchangers to avoid blockchain tracing.
* *No specific C2 domains or IPs were mentioned or provided in a defanged format.*
## Implications
Black Basta remains a highly successful (though potentially fracturing) RaaS operation that leverages initial access brokers (via high-value zero-days like Ivanti exploits) and sophisticated social engineering. Insights from the leaked chats provide intelligence on leadership structure, internal tensions, and the group's operational methodology, which is valuable for defenders tracking their evolving TTPs and the potential fallout from organizational changes.
## Mitigations
* Implement robust defenses and patching schedules specifically against known high-value VPN vulnerabilities (e.g., Ivanti).
* Enhance social engineering training for employees, given the group's focus on this area and tracking of internal individuals of interest.
* Monitor for indicators related to former Black Basta members or associated groups (like Qakbot) seeking to integrate elsewhere.