This article provides insights into the Black Basta ransomware group, detailing their structure, attack tactics, and associated tools. Through a recent leak of their chats, critical information about their operational methods has been revealed, allowing for the development of effective threat hunting and incident response strategies. Affected: Black Basta ransomware group, CONTI affiliates, victims of ransomware attacks, cybersecurity sector
Keypoints :
- Black Basta has been operational since April 2022 and is connected to former CONTI affiliates.
- The group utilizes a Ransomware-as-a-Service (RaaS) model with double extortion tactics.
- Leaked chat data reveals detailed roles of various affiliates within the group.
- Information on vulnerabilities exploited by Black Basta includes various CVEs like Log4Shell, CVE-2024–3400, and others.
- The analysis presents a wealth of tools such as Cobalt Strike, Amadey, and numerous malware families used for attacks.
- Critical MITRE ATT&CK techniques employed by Black Basta were identified during the chat analysis.
- Diverse tactics for persistence and evasion were highlighted, emphasizing their tool-based methodologies.
- Significant indicators of compromise (IOCs) including email addresses, payment links, and IP addresses were noted in the analysis.
- Recommendations for detecting and countering Black Basta tactics through threat hunting and playbook sharing were provided.
MITRE Techniques :
- Exploitation of Public-Facing Application (T1190) – Exploited vulnerabilities in Zimbra, OWA, Cisco, and Fortinet.
- Valid Accounts (T1078) – Collected valid credentials through LSASS dumping for lateral movement.
- Command and Scripting Interpreter (T1059) – Utilized PowerShell, CMD, and WMIC for executing payloads.
- Windows Management Instrumentation (T1047) – Executed discovery commands using WMIC.
- Signed Binary Proxy Execution (T1218) – Abused rundll32, msiexec, and regsvr32 to execute payloads stealthily.
- System Information Discovery (T1082) – Used systeminfo and PowerShell commands to gather system details.
- Credential Access (T1003) – LSASS memory dumping and credential theft from registry hives.
- Persistence (T1547.001) – Altered registry keys for persistence across reboots.
- Brute Force (T1110) – Conducted password spraying attacks against VPNs and OWA portals.
- Application Layer Protocol (T1071) – Established communication with C2 servers over TCP.
Indicator of Compromise :
- Email Address: vasiliy.petrov2334@mail[.]ru
- Payment Link: pay[.]kassa[.]shop
- IP Address (Potential C2): 91[.]204[.]248[.]6
- IP Address (Potential C2): 45[.]144[.]28[.]244
- IP Address (Potential C2): 192[.]36[.]41[.]65
Full Story: https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d?source=rss——malware-5