news 
Ransomware Gang Leak Shows Stolen Passwords, 2FA Codes Driving Attacks
A recent leak of internal chat logs from the notorious Black Basta ransomware group has provided a rare glimpse into the inner workings of these malicious actors. The leaked data reveals that stolen passwords and two-factor authentication (2FA) codes are driving attacks and highlights the urgent need for enterprises to prioritize patching strategies, tighten access controls, and expedite incident response protocols.
The leak, which spans 200,000 private messages between Black Basta members on the Matrix messaging platform from January 2023 to September 2024, has been analyzed by leading threat intelligence agencies. The findings confirm that compromised Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), and security portals are being exploited as initial attack vectors.
Infostealer malware has also emerged as a critical factor in the success of Black Basta’s attacks. This type of malware is designed to steal sensitive information, including usernames, passwords, and authentication data for various services. In one analyzed attack, stolen credentials that had been compromised six months prior were used for initial access. The severity of this breach highlights the importance of implementing immediate patching strategies and enforcing tighter access controls.
Furthermore, the leaked data reveals that phishing campaigns targeting Microsoft services like Office 365 and Azure are being used to intercept login credentials and session cookies, bypassing Multi-Factor Authentication (MFA) protections. In addition, Black Basta has been found to use brute-force attacks against VPN and Firewall products, including Citrix, Checkpoint, SonicWall, Pulse Secure, ScreenConnect, GlobalProtect, Juniper Secure Connect, RDP, and RDWeb.
The analysis also suggests that Black Basta operates as a business-like entity, prioritizing strategic partnerships with other ransomware groups to share intelligence, revenue-based targeting using industry tools to select victims based on available financial data, and even monitoring reputations in cybersecurity reports. This finding underscores the importance of understanding the sophisticated nature of cybercrime.
As Saeed Abbasi, a manager at Qualys Threat Research Unit, pointed out, “Understanding the business-like nature of cybercrime is critical for defenders.” Black Basta’s tactics are a stark reminder that these malicious actors think strategically, adjust to market conditions, and deal with internal conflicts – just like any legitimate enterprise.
Without immediate action to address these vulnerabilities, the fight against ransomware could be over before it begins.
