A recent leak of internal chat logs from the Black Basta ransomware operation has raised concerns about potential connections between the group and Russian authorities. The leak, which contained over 200,000 messages spanning from September 2023 to September 2024, was published by a Telegram user last month. An analysis of the messages by cybersecurity company Trellix suggested that Black Basta’s leader, Oleg Nefedov, may have received assistance from Russian officials following his arrest in Armenia in June 2024, allowing him to escape three days later.
In the leaked messages, GG claimed to have contacted high-ranking officials to facilitate his escape through a “green corridor.” This revelation poses challenges for the Black Basta gang in completely changing their operations without any ties to their previous activities. The messages also revealed that the group likely has two offices in Moscow and uses various tools like OpenAI ChatGPT for composing fraudulent letters and developing malware.
The Black Basta group has been linked to other ransomware operations like Rhysida and CACTUS, and they have developed sophisticated tools like DarkGate and Lumma Stealer to steal credentials and deploy additional malware. They also created a post-exploitation command-and-control framework called Breaker to establish persistence in network systems. Additionally, GG collaborated with a developer to create a new ransomware derived from Conti’s source code, indicating a possible rebranding effort.
EclecticIQ recently uncovered Black Basta’s development of a brute-forcing framework called BRUTED, designed to target edge network devices and perform automated scanning and credential stuffing. This framework has enabled the group to scale their attacks, expand their victim pool, and accelerate their ransomware operations. The use of this tool, along with evidence of large-scale credential-stuffing attacks since 2023, suggests that Black Basta is continuously evolving and enhancing their capabilities in cybercrime.
Source link