The article analyzes leaked communications from the Black Basta ransomware group, revealing their ongoing operations despite exposure. Significant tactics such as hybrid infrastructure exploitation and social engineering are highlighted. Microsoft Threat Intelligence’s report discusses warning signs of evolving ransomware techniques, especially in the context of nation-state actors and cloud vulnerabilities. Affected: Black Basta ransomware group, Microsoft Threat Intelligence, cybersecurity sector.
Keypoints :
- Black Basta’s internal communications leak reveals the group’s persistence and adaptability in their operations.
- Notable actors operate under various aliases and coordinate attacks using shared infrastructure and tools.
- The group’s tactics align with Microsoft’s identified threats, including exploitation of Citrix and VPNs, and weak ESXi hypervisors.
- Social engineering methods include impersonating IT support staff to deceive targets.
- The leak indicates a strong focus on operational security and resilience, with coordinated attack strategies to avoid detection.
- Microsoft’s insights indicate the use of commodity ransomware by state actors and highlight the need for heightened defenses.
MITRE Techniques :
- Initial Access (T1078): Use of harvested credentials for initial access through RDP and VPNs.
- Credential Dumping (T1003): Discussion on dumping credentials from compromised RDP and VPN environments.
- Exploitation of Vulnerabilities (T1203): Exploitation of Citrix, ESXi, and Jenkins as noted in operational discussions.
- Phishing (T1566): Social engineering campaigns via voice impersonation of IT support.
- Command and Control (T1071): Custom loaders and scripts using PowerShell and rundll32.exe for payload delivery.
Indicator of Compromise :
- [URL] https://darpan.kvs.REDACTED.in/rdweb/…
- [URL] https://start.elvyonline.nl/…;
- [IP Address] 80.190.xxx.x6
- [IP Address] 13.57.243.97
- [IP Address] 58.171.144.24