The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities.
The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month.
According to an analysis of the messages by cybersecurity company Trellix, Black Basta’s alleged leader Oleg Nefedov (aka GG or AA) may have received help from Russian officials following his arrest in Yerevan, Armenia, in June 2024, allowing him to escape three days later.
In the messages, GG claimed that he contacted high-ranking officials to pass through a “green corridor” and facilitate the extraction.
“This knowledge from chat leaks makes it difficult for the Black Basta gang to completely abandon the way they operate and start a new RaaS from scratch without a reference to their previous activities,” Trellix researchers Jambul Tologonov and John Fokker said.
Among other notable findings include –
The development comes as EclecticIQ revealed Black Basta’s work on a brute-forcing framework dubbed BRUTED that’s designed to perform automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.
There is evidence to suggest that the cybercrime crew has been using the PHP-based platform since 2023 to perform large-scale credential-stuffing and brute-force attacks on target devices, allowing the threat actors to gain visibility into victim networks.
“BRUTED framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations,” security researcher Arda Büyükkaya said.
“Internal communications reveal that Black Basta has heavily invested in the BRUTED framework, enabling rapid internet scans for edge network appliances and large-scale credential stuffing to target weak passwords.”
