Ransomware access playbook: What Black Basta’s leaked logs reveal

Black Basta, one of the most successful ransomware groups over the past several years, had a major leak of its internal communications recently. The logs provide a glimpse into the playbook of a high-profile ransomware group and its preferred methods for gaining initial access to networks, as analysis from security researchers shows.

“Key attack vectors used by Black Basta include scanning for exposed RDP [remote desktop protocol] and VPN services — often relying on default VPN credentials or brute-forcing stolen credentials to gain initial access — and exploiting publicly known CVEs when systems remain unpatched,” researchers from patch management firm Qualys wrote in an analysis of the leaked logs.

Meanwhile, cyber threat intelligence firm KELA has observed correlations between the 3,000 unique credentials present in the leaked logs and previous data dumps from infostealing malware, suggesting relationships with other threat groups who are collecting and then selling such data.

“KELA has seen the actors sourcing credentials using vulnerabilities and phishing/spam campaigns, as well as using compromised email credentials and then looking for remote access credentials in the email conversations,” the KELA researchers wrote in a report. “Then, these credentials were either used as initial access vector or in lateral movement phase.”

Finally, the group regularly relies on publicly known vulnerabilities in internet-facing devices, especially flaws that have proof-of-concept exploits available. According to an analysis by researchers from vulnerability intelligence firm VulnCheck, the leaked Black Basta logs contained 62 unique CVEs.

Weaponized exploits and common misconfigurations

According to VulnCheck, 53 of the 62 CVEs mentioned in the logs are known to be publicly exploited and 44 also appear in the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency.

Some of the vulnerabilities mentioned in the logs are old, but widespread, such as the CVE-2022-30190 remote code execution flaw in Microsoft Office remote template feature, also known as the Follina flaw, that has been widely exploited via malicious Word attachments. Other well known flaws include Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), and ProxyNotShell (CVE-2022-41028, CVE-2022-41040).

However, according to the communication logs, Black Basta is also generally quick to discuss newly released vulnerabilities, several of which the group seems to have had access to before official publication: Fortinet FortiOS (CVE-2024-23113), Bricks Builder WordPress Theme (CVE-2024-25600), and Exim Email (CVE-2023-42115).

“Within days of new security advisories being issued, members discussed vulnerabilities related to products such as Citrix NetScaler, Check Point Quantum Security Gateways, ConnectWise ScreenConnect, Microsoft Office Outlook, Fortinet FortiSIEM, Palo Alto Networks PAN-OS, Atlassian Confluence Server and Data Center, Cisco IOS XE Web UI, Microsoft Windows, GitLab CE/EE, and Fortinet FortiOS,” the VulnCheck researchers found.

VulnCheck has also seen evidence that suggests Black Basta members have the resources to develop new exploits or have considered buying zero-day exploits from third-party sources. The group has also regularly discussed a variety of offensive and defensive cybersecurity tools, including  ZoomInfo, ChatGPT, GitHub, Shodan, Fofa, Metasploit, Core Impact, Cobalt Strike, and Nuclei.

Researchers from Qualys, who performed analysis of the vulnerabilities that mirrors VulnCheck’s findings, also extracted from the logs some of the top misconfigurations that Black Basta’s members seemed to be targeting.

These include SMBv1 being enabled on legacy systems; default credentials for a variety of publicly reachable devices, including servers, routers, VPNs, and other IoT devices; weak configurations for popular enterprise VPN solutions from Cisco, Fortinet, and Palo Alto Networks GlobalProtect; exposed RDP without filtering on Windows servers; public AWS S3 buckets; open Jenkins CI/CD servers; weak MSSQL authentication; Citrix Netscaler misconfigurations; and orphaned DNS records for subdomains.

Many of these vulnerabilities remain active targets for attackers. Attack detection platform GreyNoise reported this week that 23 of the 62 vulnerabilities mentioned in the Black Basta logs have seen active exploitation over the past 30 days, which means organizations should immediately assess their potential exposure to them.

From infostealer to ransomware

Infostealers are malware programs designed to scrape login information stored inside browser password stores and other applications. These threats are increasingly being offered as a service on cybercriminal forums, and according to a recent study, their prevalence has increased three-fold over the past year. The information stolen by such tools, known as infostealer logs, has increased by 50% on the dark web over the same time.

KELA researchers highlight one example where such information enabled Black Basta attackers to compromise a Brazilian software and tech support company. The company was compromised around Oct. 18, 2023, using RDweb login credentials that originally appeared in infostealer logs in March 2023.

Evidence from the Black Basta logs shows attackers sharing additional hashed credential dumps from the company, suggesting they were engaged in lateral movement. It took the attackers six months to obtain useful initial access credentials from an infostealer data dump and then only two days to compromise a company, exfiltrate data for extortion, and deploy the ransomware.

What’s scarier is that the same infostealer log that contained the initial access credentials, also contained 50 other credentials, some of which appear related to clients of the Brazilian software company. The KELA researchers conclude that the data was likely stolen by compromising the machine of a technical support employee.

“This structured approach, from initial access to data theft and public extortion, showcases Black Basta’s strategic use of compromised credentials, internal reconnaissance, and victim profiling to maximize the impact of their ransomware campaigns,” the researchers wrote.

See also:

• 5 things to know about ransomware threats in 2025
• Ransomware gangs extort victims 17 hours after intrusion on average
• Emerging ransomware groups on the rise: Who they are, how they operate