A recently leaked collection of internal chat logs from the Black Basta ransomware operation has exposed possible ties between the cybercrime group and Russian authorities.
The leak, which comprises over 200,000 messages from September 2023 to September 2024, was released by a Telegram user @ExploitWhispers last month.
According to an analysis of the messages by cybersecurity company Trellix, the alleged leader of Black Basta, Oleg Nefedov (also known as GG or AA), may have received assistance from Russian officials following his arrest in Yerevan, Armenia, in June 2024, allowing him to escape three days later.
In the chat logs, GG claimed that he contacted high-ranking officials to secure a “green corridor” and facilitate his extraction.
“The insights gained from these chat leaks make it challenging for the Black Basta gang to completely abandon their current operations and start a new RaaS from scratch without referencing their previous activities,” Trellix researchers Jambul Tologonov and John Fokker said.
Other notable findings include:
- The group likely operates two offices in Moscow.
- The group uses OpenAI ChatGPT for composing fraudulent formal letters in English, paraphrasing text, rewriting C#-based malware in Python, debugging code, and collecting victim data.
- Some members of the group overlap with other ransomware operations, such as Rhysida and CACTUS.
- The developer of PikaBot is a Ukrainian national who goes by the online alias mecor (also known as n3auxaxl), and it took Black Basta a year to develop the malware loader after QakBot’s disruption.
- The group rented DarkGate from Rastafareye and used Lumma Stealer to steal credentials, as well as additional malware.
- The group developed a post-exploitation command-and-control (C2) framework called Breaker to establish persistence, evade detection, and maintain access across network systems.
- GG worked with mecor on new ransomware derived from Conti’s source code, leading to the release of a prototype written in C, indicating a possible rebranding effort.
This development comes as EclecticIQ revealed Black Basta’s work on a brute-forcing framework called BRUTED, designed to perform automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.
There is evidence to suggest that the cybercrime crew has been using the PHP-based platform since 2023 to perform large-scale credential-stuffing and brute-force attacks on target devices, allowing the threat actors to gain visibility into victim networks.
“The BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations,” security researcher Arda Büyükkaya said.
“Internal communications reveal that Black Basta has heavily invested in the BRUTED framework, enabling rapid internet scans for edge network appliances and large-scale credential stuffing to target weak passwords.”
