Threat Research

Black Basta’s Internal Chats Leak: Everything You Need to Know

SocRadar
Black Basta’s Internal Chats Leak: Everything You Need to Know

On February 11, 2025, leaked internal chat logs from the notorious Black Basta ransomware group surfaced, exposing internal conflicts and their alleged targeting of Russian banks. The revelations include significant instability within the group, with key members defecting and operational weaknesses laid bare. SOCRadar’s intelligence findings present critical Indicators of Compromise (IoCs) which may aid organizations in defending against potential attacks. Affected: Black Basta group, Russian banks, various sectors (financial, energy, manufacturing, security)

Keypoints :

  • Internal Matrix chat logs of Black Basta leaked, revealing conflicts and operational issues.
  • Leaked logs indicate attacks linked to Russian banks and internal disputes among group members.
  • Prominent figure ‘Tramp’ is highlighted as contributing to internal tensions within the group.
  • SOCRadar’s findings provide critical IoCs for organizations to bolster their defenses.
  • Black Basta’s effectiveness has dwindled due to leadership instability and defections to rival groups.
  • The group’s previous attacks mirror those of other infamous ransomware gangs, showcasing a pattern of betrayal.
  • The internal strife reported suggests a self-destructive trend among cybercriminal organizations.
  • Continuous updates will be provided as further investigations reveal additional insights.

MITRE Techniques :

  • T1086 – PowerShell: Used for executing commands and scripts within compromised environments.
  • T1003 – OS Credential Dumping: The group employs tools like Mimikatz to extract credentials from systems.
  • T1055 – Process Injection: Malicious code is injected into legitimate processes to maintain a foothold.
  • T1546 – Event Triggered Execution: Exploits system features like Scheduled Tasks for persistence.
  • T1071 – Application Layer Protocol: VPN and proxy communications used for data transfer and command control.
  • T1203 – Exploitation for Client Execution: Utilizing vulnerabilities in applications like Microsoft Outlook for exploitation.
  • T1046 – Network Service Scanning: Scanning services and ports for potential vulnerabilities in target systems.

Indicator of Compromise :

  • [IP Address] 95.216.29.185
  • [Domain] bestflowers247.online
  • [Hash – SHA-256] c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e
  • [Domain] innophos.com
  • [File Name] CVE-2022-27925-zimbra_Revshell.zip

Full Story: https://socradar.io/black-bastas-internal-chats-leak/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint