KELA researchers reported that the Black Basta leak revealed critical patterns used by ransomware operators to infiltrate corporate networks, particularly highlighting an attack on a Brazil-based manufacturing company where compromised credentials led to full network access and data exposure.
Additional insights from Qualys researchers indicated that the leak stemmed from internal conflicts and a retaliatory data dump related to attacks on Russian banks, providing a rare look into Black Basta’s tactics and leadership. Meanwhile, Ontinue researchers noted that Black Basta has been inactive since the start of the year due to these internal issues.
The KELA report detailed leaked internal chats that provide intelligence on compromised credentials and attack strategies, highlighting how Black Basta gains unauthorized access. Initial access was gained through vulnerable RDweb services, likely through valid credentials sourced from infostealer malware logs leaked on cybercrime platforms six months before the attack. Many of these credentials appear to originate from infostealer malware logs, showing just how critical credential security is in preventing attacks.
The analysis reveals the top 5 most-used initial access points by Black Basta, tied to credentials sourced from infostealer malware logs, vulnerabilities exploitation, and social engineering campaigns. It breaks down the findings, helping organizations understand how attackers operate and how to strengthen their defenses.
“On February 11, 2025, the cybersecurity community was shaken by an unexpected revelation. An administrator of a newly created Telegram group, ‘Шепот Басты’ (Whisper of Basta), claimed to have leaked the internal chats of the Black Basta ransomware group,” Kela researchers wrote in their report. “The admin stated that the motivation behind the leak was Black Basta’s decision to ‘cross the line’ by attacking Russian banks, a move deemed unacceptable by the leaker.
Kela reported that the group was created to ‘research’ Black Basta’s activities and shed light on their internal operations. Interestingly, while the admin’s messages were posted in Russian, the language strongly suggested the use of automatic translation rather than being written by a native speaker. It noted that the admin also predominantly referred to herself using the feminine gender.
It added, “The admin released the 47.5MB JSON file containing the internal chats and promised more releases in the near future. The leaked data covered a time span from September 18, 2023, to September 28, 2024, offering a look into Black Basta’s operations.”
The leak exposed a vast array of sensitive information, offering a glimpse into the internal workings of the Black Basta ransomware group. The contents included compromised credentials, which consisted of a trove of usernames, passwords, and authentication data for various services, mostly associated with potential Black Basta victims. Additionally, IP addresses and domains were revealed, which were used for command-and-control (C2) operations and remote access.
The report disclosed that internal operational discussions were also part of the leak, revealing tactics, strategies, and technical procedures employed by the group. Furthermore, victim data and legal documents were exposed, including data exfiltrated from compromised organizations. Payment information and cryptocurrency addresses were disclosed, allowing for the tracing of potential financial transactions. Lastly, technical infrastructure details, such as file servers, proxies, and botnets used by the group, were uncovered, providing intelligence to cybersecurity researchers and organizations aiming to strengthen their defenses.
KELA has cross-referenced some of the shared credentials with its data lake of infostealing malware logs, which proved that these credentials originated from the logs. Also, they have seen the actors sourcing credentials using vulnerabilities and phishing/spam campaigns, as well as using compromised email credentials and then looking for remote access credentials in the email conversations. Then, these credentials were either used as initial access vectors or in the lateral movement phase.
Based on around 3000 unique credentials to sensitive resources, shared in Black Basta chats, the top 10 initial access and lateral movement vectors that Black Basta operators used the most include Microsoft Remote Desktop Web Access (RD Web), Custom VPN and Security Policies Portals, General Remote Login Portals, GlobalProtect by Palo Alto Networks, and Cisco’s VPN. “These access points, ranging from Remote Desktop Protocol (RDP) portals to VPN endpoints, are prime targets for cybercriminals seeking initial access. Once compromised, they serve as gateways within corporate networks, leading to data exfiltration and eventual ransomware deployment. These credentials are also particularly important at the lateral movement stage, allowing ransomware operators to access and compromise the network,” it added.
KELA has noticed that these and other sensitive credentials were discussed in both contexts. These findings align with other researchers’ insights, specifically about vulnerabilities used by Black Basta to gather initial access.
“The Black Basta ransomware group leverages known vulnerabilities, misconfigurations, and insufficient security controls to breach systems,” Saeed Abbasi, manager product for threat research unit at Qualys, wrote in the blog post. “Their internal discussions reveal active targeting of exposed RDP servers, weak authentication mechanisms, and the deployment of malware droppers disguised as legitimate files.”
Abbasi added that key attack vectors used by Black Basta include scanning for exposed RDP and VPN services—often relying on default VPN credentials or brute-forcing stolen credentials to gain initial access—and exploiting publicly known CVEs when systems remain unpatched. MSI and VBS-based malware droppers are utilized to deliver malicious payloads, with Rundll32.exe leveraged to execute harmful DLLs. Credential harvesting and privilege escalation are also central to these tactics.
Qualys added that Black Basta uses a layered approach for attacks, combining credential theft, service exploitation, social engineering, and persistence. They acquire credentials through phishing, supply chain compromises, and dark web purchases, often using tools like Shodan for vulnerability scanning. Their tactics include exploiting exposed services, particularly targeting misconfigured systems like Jenkins and VMware, and using legitimate file-sharing platforms to host malicious payloads. Before deploying ransomware, they exfiltrate data, focusing on sensitive documents, and employ social engineering techniques, including impersonating IT support to extract credentials from employees.
“Ransomware groups are no longer taking their time once they breach an organization’s network. Recently leaked data from Black Basta shows they’re moving from initial access to network-wide compromise within hours—sometimes even minutes,” Abbasi wrote. “Ransomware operators are accelerating their attacks, leaving organizations with little time to respond. To prevent widespread damage, it’s critical to proactively detect known exploited vulnerabilities and minimize the attack surface. The longer you wait, the more likely attackers will exfiltrate data and lock down your environment. In many cases, automated scripts run post-exploitation tasks such as dumping credentials, disabling security tools, and deploying ransomware.”
The Ontinue data put together the geographical locations involved based on public IP data relating to over 3000 leaked IP addresses, including both compromised infrastructure and victims. “This highlights the low cost of available infrastructure and ease of access/compromise devices that can be utilised to launch attacks, host intermediate infrastructure on, or use for Command and Control.”
Their data disclosed that the “group conducted thorough monitoring of their online presence, exchanging messages about themselves a total of 65 times. Black Basta has been diligently tracking reports concerning the group, as well as other entities such as BlackCat, Rhysida, LockBit, Kaseya, and Stormous, and their related articles.”
Last May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory (CSA) addressing the Black Basta hacker group.
The advisory recommended that critical infrastructure organizations align their cybersecurity measures with the cross-sector cybersecurity performance goals (CPGs) established by CISA and NIST. These CPGs outline essential practices to defend against prevalent threats.
Key recommendations include promptly updating operating systems and software, prioritizing Known Exploited Vulnerabilities (KEVs), and implementing phishing-resistant multi-factor authentication (MFA). Organizations should also train users to identify phishing attempts, secure remote access, back up critical systems, and enhance asset management, access management, and vulnerability assessments to strengthen overall security.
