Black Basta ransomware leak reveals potential Kremlin ties

Leaked logs also show group's heavy reliance on AI tools

A massive leak of internal chat logs from the notorious Black Basta ransomware-as-a-service (RaaS) group has exposed potential ties to Russian authorities, extensive use of artificial intelligence in its operations and plans for a complete rebranding, according to a comprehensive analysis by cybersecurity firm Trellix.

The leak, reportedly shared by a Telegram user known as @ExploitWhispers, contains over 200,000 messages from Black Basta's Matrix chat, spanning from September 2023 to September 2024. While the leaker claimed the release was due to Black Basta targeting Russian banks, Trellix's analysis found no evidence of such attacks.

However, the leaked logs revealed a wealth of information about the group's inner workings. Notably, they suggest a strong connection to Russian authorities, particularly through the group's leader, known as GG or AA, identified as Oleg Nefedov.

According to the chats, Nefedov was detained in Armenia in June 2024 but mysteriously escaped, with evidence suggesting Russian authorities facilitated his release.

"GG stated that he contacted Russian authorities and requested a 'green corridor' and they promptly flew to extricate him," Trellix reported.

"GG implies he has friends at the very high level, the level of the number 1 and the number 1 was aware of his situation and his rescue would not have been possible without his coordination."

The leaked logs also unveiled Black Basta's heavy reliance on AI tools like ChatGPT for various malicious purposes. The group used ChatGPT to generate deceptive messages, rewrite malware code from C# to Python, debug code, and automate victim data collection.

"It appears that GG acquires ChatGPT accounts from marketplaces/forums such as 'Plati Market', and occasionally shares the credentials with other team members," Trellix noted.

Furthermore, Trellix discovered that Black Basta maintains two operational offices in Moscow, which serve as hubs for their cybercriminal enterprise.

The gang has also been found to be leveraging OpenAI's ChatGPT to enhance their malicious activities.

The AI tool was used for:

  • Composing fraudulent formal letters in English to trick victims
  • Paraphrasing text and debugging code to streamline their operations
  • Rewriting C#-based malware in Python to evade detection
  • Collecting and analysing victim data for further exploitation

The group appears to collaborate with other ransomware and malware operators, including Rhysida, Cactus, Qakbot, Pikabot, DarkGate, and IcedID. It also rents out malware, and uses the LummaC2 Stealer.

The failed attack on Ascension Health, where Black Basta incorrectly encrypted data, prompted the group to consider a complete rebranding. The group planned to create a new, undetectable ransomware locker, using Conti source code, and a new RaaS.

The group also developed a custom C2 framework called "Breaker" for post-exploitation activities. According to EclecticIQ, Black Basta has been using the BRUTED framework since 2023 to perform large-scale credential-stuffing and brute-force attacks on target devices, enabling threat actors to compromise corporate networks efficiently.

The magnitude of the leaked information is expected to significantly hamper Black Basta's ability to operate undetected. With details about their internal processes, leadership, and infrastructure now exposed, the gang faces heightened scrutiny from law enforcement agencies and cybersecurity experts worldwide.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.