Black Basta chat leaks reveal details on ransomware infrastructure

Leaked chat logs and forum posts from the Black Basta malware group in March has provided security vendors with some key insights on the technical infrastructure and techniques employed by the notorious cybercrime gang.

In its latest quarterly threat report, security vendor ReliaQuest provided a deep look into the inner workings of the malware operation, including the techniques, tools and tricks it uses for its ransomware attacks.

The report detailed not only the initial access vectors for the group’s network intrusions, but also the privilege escalation and insistence tools, exfiltration and extortion methods, and ransomware deployment tools.

In each category, multiple tools and methods were employed, suggesting that the crew had more than one option at its disposal in each step of the intrusion, exfiltration and cash-out process.

The ReliaQuest team told SC Media that while the investigation didn’t uncover any new or particularly unknown finds, it provided them with a far more detailed and extensive overview into how Black Basta operates.

It also provided a possible clue as to how the leak of the logs might have come about and what the group knew ahead of time.

“The most interesting piece is that the attacks dropped off completely just before the chat log leak,” the researchers explained, “suggesting possible fragmentation within the group or a temporary pause while they reestablish trust and prepare to reconduct operations.”

The Black Basta investigation was one of a number of findings the security vendor listed in its quarterly report on the state of ransomware attacks over the first quarter of the calendar year.

Clop claims nearly 400 victims in Q1 2025

Also of note was a surge in attacks from a ransomware operate known as Clop. The group smashed previous high water marks by announcing a massive total of 389 victims in the quarter alone, making Clop the most prolific ransomware group in operation and represented a 1,400% increase over its activity in the previous year’s quarter.

It is believed that the soaring level of attacks from Clop stems from the group’s ability to get its hands on a pair of zero-day exploits for a popular managed file transfer tool.

CVE-2024-50623 and CVE-2024-55956 are a pair of flaws in Cleo, an e-commerce platform retailers used to handle transactions, order fulfillment, and supply chain coordination. The tool is popular with retailers as a full-stack solution for managing online storefront operations.

The ReliaQuest team told SC Media that it is likely the group was able to exploit the flaw towards the end of last year before Cleo could get its patch for the flaws deployed to customers.

“Most of the impacted organizations were listed on the group’s data-leak site by February 2025,” ReliaQuest said.

“Ransomware groups typically delay listing impacted organizations on their data-leak sites to allow time for negotiations and operational processes.”

Clop’s massive gain was contrasted by a slight drop from another top ransomware group, RansomHub. The researchers logged a 1% drop in activity from RansomHub attacks in Q4 2024.

The drop was attributed in part to affiliates leaving the group. While this would seem like a good thing on the surface, ReliaQuest warned that it could have long-term ramifications as those affiliates could take the tricks and methods they learned with RansomHub to other ransomware platforms, something that could make attacks more potent and complicate the attribution process.