Insights from the Black Basta leak

Delving into the Black Basta ransomware group chat leaks 

A week ago I read a post from Alon Gal (Co-Founder & CTO) at Hudson Rock noting that they had created BlackBastaGPT, from the Black Basta Ransomware group’s ~1 Million leaked internal chat messages, encouraging ITsec pros to dive into Black Basta’s internal chats. Over the last few days, I have been doing just that to see what insights I could uncover that might help security blue teams proactively defend against ransomware threats and build better response strategies. 

1. Understand TTPs (Tactics, Techniques, and Procedures) to reveal real-world attack methods used by ransomware groups and map tactics to frameworks like the Cyber Kill Chain.
2. Strengthen defensive strategies to identify specific exploits, credential theft techniques, and bypass methods to help improve security policies, patch vulnerabilities, and harden systems.
3. Incident Response & Threat Intelligence to provide insight into how attackers communicate, strategize, and prioritize targets to aid in detecting early-stage intrusions before ransomware deployment.
4. Targeting patterns & industries to reveal which sectors, departments, and data types are most valuable to attackers to help organisations in high-risk industries adjust their security posture.
5. Exposure of credentials & attack infrastructure as leaked chats may contain compromised credentials, tools, or infrastructure details and so assist in blocking known indicators of compromise (IOCs) and attack vectors.

Kudos to Alon Gal and the whole Hudson Rock team for acting so quickly to create BlackBastaGPT 🙌

Also, in case you have not done so check out their CavalierGPT for delving into infostealer data (ranked #1 for OSINT in the GPT store 🥳).

Observations:

• Credential theft and phishing were the primary entry points, with a focus on RDP, VPN, and Exchange logins.
• Legal, HR, and financial documents were highly targeted, likely for extortion and financial gain.
• SOCKS5 proxies, SSH tunnelling, and C2 beacons ensured persistence and remote access.
• SMB file shares, SharePoint Online, OneDrive, and Exchange were the most exploited data stores.
• Exploited Exchange vulnerabilities to bypass security and access email communications.

What sensitive data was targeted and why?

Black Basta actively searched for and exfiltrated sensitive data. Their methods for defining and acquiring valuable data included:

1. Legal & Regulatory documents: They specifically sought legal documents, corporate financial records, and internal reports. A chat message referenced stolen files such as: 

2. File searches by department & content: HR records, including historical employee data, attorney search records, and correspondence. Here’s an example of specific HR-related file searches:

3. Legal & Financial Reports: example stolen from a corporate repository:

Why? Business reports can reveal corporate strategies, M&A plans, and sensitive financial data useful for extortion or insider trading. 

4. File searches for "Confidential" or "Restricted": They performed searches for specific files marked as "Confidential" or "Restricted". The group searched for file names and metadata containing terms like:

These files were prioritised for exfiltration​.

5. File searches by name & type: They performed searches for specific file extensions such as .docx, .msg, .zip, and .tar. They scanned entire folder structures and applied metadata filtering for documents containing financial or HR-related terms. They requested file trees to select high-value files efficiently, which suggests automated directory mapping:

This indicates structured directory mapping to locate sensitive files​ and confirms they prioritised targeted file selection​.

6. Stolen email & communication Records: They searched IMAP and SMTP email logs, indicating interest in communications and email records:

Why? Email logs can contain confidential discussions, financial transactions and sometimes even credentials​. This is where they focused their searches:

• Legal Departments → Lawsuits, contracts, regulatory filings
• Human Resources → Employee records, hiring information
• Finance & Accounting → Budgets, audits, financial fraud evidence
• Email Servers → Internal communications, sensitive discussions
• Marketing & Strategy → Business plans, intellectual property

These files were likely used for extortion, insider threats or data resale on underground forums.

Which data stores were targeted and why?

They focused on corporate storage solutions and communication platforms, actively targeted multiple data stores, including SMB file shares, Microsoft Teams, OneDrive, SharePoint and Exchange Online.

Data stores targeted and the attack methods used:

1. SMB File Shares (Windows Network Shares): They extensively mapped SMB shares across multiple systems, accessed critical shared folders, including:

• HR data (CLI-FILE01\HR)
• Finance & Accounting (CLI-FILE01\Acctg)
• Project files (CLI-FILE01\Projectscans, Quickpen)
• Admin shares (CLI-FILE01\Admin)
• Backup locations (CLI-NAS1\CLI-Backups)​.

They leveraged credentials to escalate access to these shares​.

‍

2. Microsoft Teams

• Compromised Teams accounts were used for internal reconnaissance and potentially for spreading malware. Here is a list of stolen credentials included fully licensed accounts from various organizations:

These were linked to SOCKS proxies, suggesting potential use for persistent access or lateral movement​.

‍

3. Microsoft OneDrive & SharePoint:

• The group monitored and redirected phishing links to SharePoint:

• Actively searched for and tested access to SharePoint links, focusing on restricted files that might contain sensitive corporate data.
• OneDrive access was also explored, with a mention of missing user files possibly being stored there​. Example OneDrive shared link which a member confirmed it could be accessed, and permissions could be modified: "я вот проверил, можно разрешить доступ" (I just checked, access can be allowed)​. Note: link is no longer accessible externally:

• How did they find these links? 
  
  • Using phishing & tedirects: They collected email addresses from legal firms and sent phishing emails designed to trick users into clicking malicious SharePoint links:

 This implies they gathered email lists, tested Teams logins, and sent phishing emails targeting SharePoint credentials​.

• Redirection to SharePoint

Suggests that instead of using suspicious domains, they used trusted SharePoint links for phishing, making it harder for security tools to flag their attacks​.

• Testing Permissions on Stolen Links: Once they obtained SharePoint links, they tested if access could be expanded, modified, or bypassed. 

‍

4. Microsoft Exchange Online (Email Servers)

• Exchange credentials were actively stolen using exploits:

“это с эксплойта по клику, креды которые сейчас добываем с экчейнжей” - This is from an exploit by clicking, the credits that we now extract from exchanges.

• Exploits for Exchange vulnerabilities (CVE-2023-36745) were discussed, indicating they targeted email accounts for sensitive information​.
• IMAP email data was extracted, showing counts of valid email logins​.

‍

Top targeted data stores (ranked by frequency of targeting):

‍

‍

Black Basta concentrated on data stores that contained valuable corporate, legal, financial and HR information. They used stolen credentials, phishing, SMB enumeration, and Exchange exploits to gain access. Their focus suggests a strategy of exfiltrating high-value data for ransom and extortion.

Observations

1. Local SMB file shares were the top target
   
   • Attackers enumerated shared folders and extracted HR, legal, and finance files.
   • They specifically looked for administrator shares and backup directories​.
2. Cloud storage was a major focus (SharePoint, OneDrive, Google Drive)
   
   • SharePoint was used for phishing, and attackers tested access permissions on stolen links​.
   • OneDrive was searched when files were missing from other locations​.
3. Email was targeted for sensitive attachments
   
   • Exchange Online and Gmail accounts were breached to extract legal, HR, and financial communications​.
   • IMAP and SMTP logs were collected to identify valid credentials​.
4. Cloud infrastructure was explored but not a primary focus (AWS, Azure)
   
   • Exposed AWS S3 buckets and Azure storage accounts were exploited opportunistically​.
5. Identity Providers (IdPs) were probed for persistence (Azure AD, Active Directory, Google IAM, AWS IAM)
   
   • Privileged account credentials were stolen, but this was a lower priority compared to data exfiltration​.

Insights from the top targeted data stores

• Most attacks focused on SMB shares and SharePoint Online (55%), since these contain high-value corporate data and are easier to exploit with stolen credentials.
• Email (Exchange Online, Gmail) and cloud storage (OneDrive, Google Drive) were also highly targeted (32%), as they hold financial and legal documents.
• Cloud services (AWS, Azure) and identity providers (Azure AD, IAM) were targeted but not a primary focus (8%), likely due to stronger security controls.

This suggests that organisations should focus security efforts on securing SMB file shares, cloud storage, and email systems to prevent data theft. 

How they accessed the data and what did they do with it?

They leveraged stolen credentials to get to the data

• They used compromised credentials for RDP, VPNs, and Citrix environments to gain privileged access. Stolen credentials were actively shared, including:

This suggests they were leveraging valid accounts for persistence and lateral movement.

• They probed Windows and Linux environments for privilege escalation vulnerabilities: A message discussed exploiting Linux to pivot into Windows machines mentioned bypassing pfSense firewalls using SSH tunnelling and MFA authentication. 
• The group discussed how certain enterprise accounts were blocked after multiple login attempts, indicating they were testing access policies and MFA settings.

‍

Once they got to the data they exfiltrated it, deployed ransomware, and extorted their victims 

• The group openly admitted to exfiltrating over 1.5TB of sensitive data and threatened to publish it unless a ransom was paid:

"We've downloaded over 1.5 TB of sensitive information and data from your network... if we do not come to an agreement within 10 days, all of your data will be posted on our news board."​

• Another message detailed extortion tactics, where they suggested leaking intellectual property related to telecom lawsuits to nation-state actors (China, Iran) if the victim did not comply.
• Black Basta discovered a technique for bypassing Microsoft OneNote’s built-in security features using two methods:
  
  • Open Document -> to launch a document in Office with security warnings.
  • Download Document -> to trick users into copying files to their desktop for execution.
• A Python-based exploit script was mentioned, allowing automated file enumeration and extraction:

This implies they automated the process of scanning and extracting targeted data​.

Black Basta relied on privilege escalation, MFA bypass, lateral movement, and log evasion to exploit access controls. Their focus on gaining admin rights, abusing misconfigured permissions, and targeting VPN/firewall vulnerabilities allowed them to maintain persistence and execute ransomware effectively.

Observations

Black Basta conducted highly targeted searches across organisations, focusing on legal, financial, and HR related data. They leveraged phishing, stolen credentials, and permission testing to access SharePoint links and other restricted data stores. By using automated scripts, directory mapping, and keyword-based searches, they efficiently extracted and filtered sensitive files based on metadata and file types to maximise their value. Their operations combined advanced reconnaissance, access control exploitation, and credential theft with technical exploits, social engineering, and extortion tactics. This strategic approach enabled them to infiltrate networks deeply, exfiltrate high-value corporate data, and execute ransomware extortion, corporate espionage, and financial fraud.

Key points

The Black Basta leak has provided a comprehensive view of the tactics, techniques, and procedures (TTPs) employed by the threat actors. The analysis reveals a structured attack chain that leverages credential theft, malware execution, and ransomware deployment while ensuring persistence through proxies and tunnelling.

Key Observations

• Credential theft and phishing: These were the primary entry points, with a focus on RDP, VPN, and Exchange logins. Legal, HR, and financial documents were highly targeted, likely for extortion and financial gain.
• Persistence and remote access: The use of SOCKS5 proxies, SSH tunnelling, and C2 beacons ensured persistence and remote access.
• Exploited data stores: SMB file shares, SharePoint Online, OneDrive, and Exchange were the most exploited data stores.

Targeted Data and Methods

• Legal & regulatory documents: Black Basta specifically sought legal documents, corporate financial records, and internal reports.
• HR records: Employee benefits and identity-related documents were targeted for identity fraud or social engineering.
• Financial reports: Business reports revealing corporate strategies, M&A plans, and sensitive financial data were prioritised.
• Email & communication records: IMAP and SMTP email logs were searched for confidential discussions, financial transactions, and credentials.

Attack Techniques

• Privilege escalation: Exploited vulnerabilities to gain Administrator rights, allowing execution of ransomware with full system control.
• MFA bypass: Used stolen session tokens and cookies to replay login credentials for Exchange Online, VPNs, and corporate portals.
• Lateral movement: Stole SSH and VPN credentials to bypass firewall and segmentation policies.
• Remote code execution: Exploited Juniper Firewall vulnerabilities for unauthenticated remote admin access.

‍

‍

By implementing these recommendations, organisations can enhance their security posture and mitigate the risks associated with data breaches and cyber-attacks.

‍

‍

‍