Risky Bulletin Episode Summary: RBTALKS6 with Will Thomas on the Black Basta Leaks

Released on March 4, 2025

Introduction

In the sixth episode of Risky Bulletin (RBTALKS6), host Kathleen Campano engages in an in-depth conversation with cybersecurity expert Will Thomas. The focus of their discussion centers on the recent leaks of internal communications from the Black Basta ransomware group. These revelations shed light on the group's operations, decision-making processes, and the broader implications for cybersecurity and law enforcement.

Background on the Black Basta Leak

Kathleen Campano (B):
"I invited Will to have a chat about something that happened earlier this month when internal chats leaked from the Black Basta ransomware group..." [00:19]

The leak, attributed to an individual known as "bastawhisperer," exposed approximately 200,000 messages from Black Basta's internal Matrix chat server, covering a year of the group's activities from September 2023 to September 2024. Despite significant dissemination across hacking forums, Telegram, and Mega, the origin of the leak remains unidentified.

Will Thomas (A):
"It almost feels like you're some sort of government agency that's gained access to all of these internal communications..." [02:11]

Thomas emphasizes the unprecedented access researchers have to the gang's internal deliberations, offering a rare glimpse into their operational mindset.

Analysis of the Ascension Health Attack

One of the central topics discussed is Black Basta's ransomware attack on Ascension Health, a major U.S. healthcare provider. This incident occurred shortly after a similar attack on Change Healthcare, which had disrupted the U.S. medical system significantly.

Thomas:
"As the news was breaking about the attack, the ransomware gang was actually paying attention to that as the news broke and sharing it amongst themselves..." [02:19]

Initially, Black Basta viewed the Ascension attack as a lucrative opportunity, demanding ransoms upwards of $28.7 million. However, as the gravity of the situation became apparent—impacting millions of patients and critical healthcare operations—the group's internal communications revealed a shift from greed to regret.

Notable Quote:
"We are pen testers and not killers." [02:35] – Will Thomas

This statement underscores a moment of ethical introspection within the group, contrasting their criminal activities with their self-perception.

Ransomware Gangs' Fear of Authorities

The discussion delves into Black Basta's apprehension towards law enforcement agencies like CISA and the FBI. Thomas highlights how these fears influence the group's operational decisions, including the cessation of attacks on major targets to avoid severe repercussions.

Thomas:
"They [Black Basta] mentioned takedowns by the FBI of the various botnets that they interact with..." [10:46]

This fear extends to concerns about sanctions and de-anonymization, which can severely disrupt the gang's operations and reputation.

Campano:
"...they are really, really scared of US authorities now." [10:29]

The fear of legal consequences acts as a deterrent, prompting the group to adopt more cautious strategies in their ransomware endeavors.

Rebranding and Organizational Structure of Ransomware Groups

A significant portion of the conversation addresses the phenomenon of ransomware groups rebranding to evade detection and continue their illicit activities. Black Basta's quick pivot following the Ascension Health leak is emblematic of this trend.

Thomas:
"From Conti going down, shutting down, shutting off the leak sites and things to Black Basta, Akira Royal, all these other brands popping up was pretty short..." [18:40]

Rebranding allows these groups to maintain operational continuity despite setbacks. However, Thomas notes that while superficial changes are easy, altering underlying tactics, techniques, and procedures (TTPs) is challenging, enabling researchers to track and link different iterations of the group.

Notable Quote:
"If you do hit the wrong network, it can have real sprawling physical, real world impacts." [06:40] – Will Thomas

This highlights the tangible consequences of ransomware attacks, reinforcing the necessity for robust cybersecurity measures.

Implications for Cybersecurity and Law Enforcement

The episode concludes with reflections on the broader implications of the Black Basta leaks. Thomas suggests that while rebranding provides temporary relief for ransomware groups, persistent tracking of TTPs by cybersecurity professionals can mitigate their long-term efficacy.

Thomas:
"It's really hard for attackers to ultimately change these ttps. And that's how, as researchers, we can track and make the connections between the sort of the original brand and the rebrand." [18:40]

Additionally, Thomas cautions about potential vulnerabilities arising from workforce reductions in agencies like CISA and the FBI, which could embolden ransomware gangs if not addressed.

Campano:
"Now, if we look at what's happening in the US Right now, and we're seeing what the US Government is doing to itself with all these mass firings..." [12:46]

Overall, the episode underscores the dynamic interplay between ransomware operators and cybersecurity defenses, emphasizing the need for continuous vigilance and adaptive strategies.

Conclusion

The Risky Bulletin episode featuring Will Thomas provides a comprehensive examination of the Black Basta leaks, offering valuable insights into the operational intricacies of ransomware groups. By dissecting internal communications, Thomas illuminates the psychological and strategic factors influencing these cybercriminals, while also highlighting the critical role of cybersecurity professionals and law enforcement in countering such threats.

Notable Takeaways:

• Internal leaks offer unprecedented visibility into ransomware group operations.
• Ethical considerations can influence the actions of cybercriminals.
• Fear of law enforcement and sanctions impacts ransomware strategies.
• Rebranding serves as a temporary shield for gangs but is insufficient against thorough analytical tracking.
• Organizational and workforce challenges within law enforcement may affect the efficacy of cybersecurity measures.

This summary is intended for informational purposes and reflects the discussions held in the Risky Bulletin podcast episode with Will Thomas.