What 200,000 Leaked Messages Reveal About The Future Of Ransomware

Yuriy Bulygin is CEO and co-founder of Eclypsium.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles,” wrote Sun Tzu in The Art of War more than two millennia ago. Sun Tzu’s timeless wisdom rings especially true in the modern era of cybersecurity. To defend against an adversary, you must first understand how they operate. Understanding how adversaries think, operate and execute their attacks is one of the most effective ways to fortify your defenses.

Recently, security researchers were handed a rare gift: a glimpse into the inner workings of Black Basta, one of the criminal world’s more sophisticated ransomware groups. Over 200,000 chat logs, written in Russian, were leaked by a disgruntled team member, offering a trove of valuable threat intelligence. This rare look into the inner machinations of a prominent ransomware gang reveals not only their techniques and tactics but also their collective mindset.

Like other sophisticated ransomware groups, Black Basta operates with surprising discipline. The leaked chat logs reveal a well-structured organization that runs more like a Fortune 500 corporation than a rogue hacking syndicate: They keep regular working hours, adhere to a hierarchical management structure and employ collaboration tools similar to Slack where they engage in lively discussions about vulnerabilities, exploit development, target selection and how to negotiate ransoms effectively.

Although rare, this isn’t the first time a ransomware gang’s chats have leaked. In 2022, the same happened to the Conti ransomware group. That leak revealed research into low-level attacks such as firmware implants on the manageability components of common computer systems. This new Black Basta leak not only sheds more light on the inner workings of a shadowy criminal organization but also represents a gold mine of threat intelligence for security professionals, showing us evolutions and behavioral shifts in how these attackers identify, infiltrate and exploit their targets.

So, what does this latest cache of threat intelligence tell us about the nature of today’s cyber threats? More importantly, what practical steps should security leaders take to bolster their defenses against the next wave of ransomware attacks?

What We’re Learning From The Black Basta Leak

Gone are the days of rudimentary “spray and pray” ransomware campaigns often initiated by a simple phishing lure. Black Basta’s internal discussions reveal a systematic and multipronged approach, both in how they select their victims and the vulnerabilities they aim to exploit, all to ensure maximum financial returns. They carefully profile targets, assess the potential ransom they can extract and even weigh the political risks of attacking certain organizations.

One of the more concerning revelations detailed in the leaks is Black Basta’s focus on gaining a foothold and moving laterally through network and security infrastructure from entrenched security vendors like Palo Alto Networks, Cisco and Ivanti. Vulnerabilities in VPNs, firewalls, load balancers, routers and switches were all referenced in the leaked chats. Over 60 CVEs were mentioned, including some that were also featured in CISA’s list of Top Routinely Exploited Vulnerabilities. The group also discussed successful exploits of networked printers, recognizing that many organizations continue to overlook them as a security risk.

Black Basta also appears to have operated with remarkable efficiency. In one instance, it took just two days for them to compromise a victim’s network, exfiltrate sensitive data and deploy their ransomware payload. Their ability to move quickly across multiple attack surface vectors means that organizations must detect and respond to intrusions in real time and disrupt the attack before critical data is stolen or encrypted beyond recovery.

Although Black Basta takes advantage of known vulnerabilities, the chat logs also suggest they’re actively developing or acquiring their own zero-day exploits. This is a serious escalation, as zero-day vulnerabilities are much harder to defend against because they can be exploited before a patch even exists, leaving organizations blind to the threat until it’s too late.

Three Critical Strategies To Fortify Enterprise Defenses

Although the standard security advice of patching regularly and using multifactor authentication still applies, the Black Basta leak reinforces the need for more proactive and strategic defenses. Here are three key takeaways for enterprise security leaders:

1. Device-level protection is essential.

The leaked chats confirm that ransomware groups actively probe network infrastructure, routers, VPN appliances and even firewalls for vulnerabilities. These devices must be hardened against attackers seeking stealthy persistence. Organizations must ensure they can verify the integrity of all connected devices, actively monitor them for unexpected changes and, most critically, secure firmware and hardware layers of appliances and black-box components against attacks.

2. Reduce your attack surface.

Black Basta attackers frequently scan the internet for vulnerable systems, especially network appliances and remote desktop protocol (RDP) instances with unpatched vulnerabilities. Security teams must ensure that they disable unnecessary external services, limit public exposure of critical assets and enforce strict access controls on internet-facing systems.

3. Limit lateral movement with segmentation.

The leaked messages confirm that once inside a network, attackers like Black Basta can quickly move laterally across a network to maximize their access and impact. Network segmentation, segmentation of management interfaces in network appliances and BMC management interfaces in servers are all critical for internal hardening to impede attacker progress and prevent widespread damage. Security teams should separate critical systems from general user networks, enforce robust identity and access management to limit credential misuse and implement behavioral monitoring to detect unusual movements inside the network. In particular, the prevalence of vulnerabilities in manageability interfaces and the criticality of privileged access merits strong segmentation of these interfaces.

The Black Basta leak represents a unique opportunity to gain insights directly from the attackers themselves. Over the coming months, security researchers will continue analyzing this vast repository of data, uncovering new tactics, techniques and vulnerabilities. For enterprise security leaders, the key takeaway is clear: Modern ransomware operators are increasingly disciplined, well-organized and relentless. In the art of cyber war, knowledge is power. With this Black Basta leak, we’ve been handed a powerful weapon. The question is, how will you use it?

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?