The Black Basta ransomware group has fallen off dramatically in 2025, and chat logs leaked recently show that internal squabbling may be behind the group’s slowed activity.
Cyble threat intelligence researchers documented 189 Black Basta victims in 2024. Nearly two months into 2025, that number has fallen to eight. Two weeks ago, a Telegram user who goes by ExploitWhispers leaked the group’s chat logs, which revealed infighting and disagreement over targets among Black Basta members.
What might be more useful, however, is an examination of what the chat logs tell us about Black Basta TTPs (tactics, techniques and procedures). So we queried a ChatGPT instance set up by security researchers to examine the Black Basta data, which includes nearly 200,000 chat messages sent between September 2023 and September 2024, to glean indicators of compromise (IoCs), TTPs and more.
The chat logs appear to include new information on the group beyond what had previously been reported by CISA and others, including newer vulnerabilities under discussion by group members.
Black Basta first appeared in April 2022, likely formed by former members of the Conti and REvil ransomware groups, and Cyble has since documented 528 victims of the group.
Black Basta TTPs Revealed by Leaked Chat Logs
According to the chat logs, Black Basta favors compromised remote access points for initial access, such as use of Remote Desktop Protocol (RDP) and VPN credentials.
Malicious scripts follow, including use of VBS (Visual Basic Script) files to execute malicious payloads, and command execution via rundll32.exe, a common method for running DLL-based payloads.
File names such as drs1312_signed.zip suggest the use of digitally signed executables to evade detection.
Numerous discussions about ESXi hypervisor vulnerabilities included mentions of systems allowing default passwords, and several leaked login credentials for various services suggest that the group employs credential stuffing, brute force, and/or phishing tactics.
Command and Control (C2) is established by SOCKS proxy servers and SSH command execution, with rotating domains for malware downloads and C2 communication.
Black Basta also uses obfuscation and encryption techniques, with group members discussing antivirus (AV) evasion tactics, and files like e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip indicate whole-system encryption tactics. Discussions also mentioned custom-built AV/EDR disablers, and Qakbot trojan evasion, injection and persistence mechanisms.
The group used Cobalt Strike with multiple modifications, including a custom-built Artifact Kit for modifying Cobalt Strike payloads, the Elevate Kit to integrate privilege escalation exploits, the Sleep Mask Kit for memory obfuscation and AV evasion, and the Mutator Kit to modify compiled binaries. Mimikatz is another frequently used tool.
Members have also spoofed IT calls, posing as IT support to obtain access and bypass security.
Vulnerabilities Targeted by Black Basta
The chat logs contain a long list of vulnerabilities under discussion by Black Basta members, ranging from Linux and Windows vulnerabilities to network devices, open source frameworks, IT tools and more, and in some cases the group appears to have chained vulnerabilities together.
Specific CVEs targeted by Black Basta include:
- CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability
- CVE-2021-44228: The Log4j “Log4Shell” vulnerability
- CVE-2022-22965: Spring Framework “Spring4Shell” vulnerability
- CVE-2022-1388: F5 BIG-IP REST authentication vulnerability
- CVE-2022-0609: Use after free vulnerability in Animation in Google Chrome
- CVE-2017-11882: Microsoft Office memory corruption vulnerability
- CVE-2022-41082 and CVE-2022-41040: the Microsoft Exchange “ProxyNotShell” vulnerabilities
- CVE-2022-27925 and CVE-2022-41352: Zimbra Collaboration vulnerabilities that were used together to gain access and execute a reverse shell
- CVE-2022-26134: Atlassian Confluence RCE vulnerability
- CVE-2022-30525: Zyxel RCE vulnerability
More recent vulnerabilities under discussion by the group have included:
- CVE-2024-21762: Fortinet FortiOS RCE
- CVE-2024-3400: GlobalProtect RCE in Palo Alto Networks PAN-OS
- CVE-2024-1709: ConnectWise ScreenConnect RCE
- CVE-2024-26169: Windows Error Reporting Service elevation of privilege vulnerability
- CVE-2024-23897: A Jenkins CI/CD pipeline vulnerability
- CVE-2024-1086: A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component
Black Basta File Hashes and Indicators of Compromise (IoCs)
From ransomware files and malware samples to C2 IPs, domains, and compromised credentials, the chat logs also revealed a range of Black Basta indicators of compromise (IoCs).
Ransomware files include:
- e6393196-f020-4c2f-88fc-45ff7e22794f_encrypt_release_allsystem_x64.zip
- zip
- CVE-2022-27925-zimbra_Revshell.zip (a backdoored Zimbra exploit)
Black Basta has been associated with various malware families, including RemcosRAT, AgentTesla, FormBook, and GuLoader. File hashes from shared malware samples include:
- Remcos RAT: c5793613219a782eb08205921a3f9ed97c2c74de18e0cd36008046d1a5e1288e
- Agent Tesla: 50d414576bf441cca754e6e3b96dabdf35fed443ecb98f865dc89e623bc2f0e9
- Formbook: e19dfc72ad2eea815ef6b4eb9b812471b3bb3cf40333d97e3c552c87db86e65a
- GuLoader: 5a2f52bb90ed8a2fd9bc0e07937684ac9b9389cdd112760f8dc96e16aa63d513
IP addresses used by the group for botnet communication, command-and-control (C2), and proxies have included:
- 214.25.250
- 8.18.230
- 161.27.152
- 98.80.158
- 60.149.244
- 227.252.244
- 238.181.250
- 118.36.203
- 60.149.241
- 165.16.55
- 57.243.97 (used for shell, SOCKS, FTP)
- 253.64.241 (used in UK-based attacks)
The Biggest Ransomware Group Leak Since Conti
The Black Basta chat log leak is likely the biggest leak to hit a ransomware group since Black Basta predecessor Conti was hit by a source code leak in 2022.
So while the infighting is certainly entertaining and sheds light on the group’s dynamics, the many tactical details revealed provide a rich data source for threat intelligence researchers and security teams whose job is to stop and respond to threats from Black Basta and others who may adopt its tactics.
