Loading summary
A
Foreign.
B
This is Katanin Campano and this is a Risky Business interview with Will Thomas, the co founder of CTI Community Research Project curated intelligence and author and instructor at the SANS Institute. Welcome, Will.
A
Thanks, Kathleen. Thanks for having me on.
B
I invited Will to have a chat about something that happened earlier this month when internal chats leaked from the Blkbasta ransomware group. Chats that expose quite a lot of information. The leak, I don't think after a week we know where exactly it originated, but it was everywhere. On hacking forums, Telegram, Mega. An individual going by the name of bastawhisperer allegedly leaked the internal chat logs of the black Basta gang they extracted from a Matrix chat server. The leak contains about 200,000 messages, so it's quite a lot of them. I don't think anyone them from start to finish, but they only cover about one year of the group's activity from September 2023 to September 2024. So it's not up to the latest development with the gang. The security firm which first spotted the leaks product says they've been monitoring the gang and the group basically kind of stopped all the activity at the start of the year. So there's three months missing from the leak which might have showed how the gang disbanded, but they're not in there. So we're here to talk about what's in there. I know you published a blog post last week when you specifically looked at the group and how they ransomed a US Healthcare chain named Ascension Health. The attack took place a few months after another ransomware attack on a US Healthcare provider named Change Healthcare basically crippled a lot of the US medical system like it was a big deal. Even in mainstream media, where the White House were constantly being asked, what's being done to restore access to medical payments through Change Healthcare systems. It was a very big deal. And initially when Blkbasta ransomed Ascension Health, they realized, oh my God, we hit another major provider, we're going to pay. They're basically salivating in the chats, but they quickly realized they kind of screwed up. So what's the story of that attack?
A
Thanks so much, Caitlin. Yeah, thanks for providing that background info. I think it's been a really interesting case of going through hundreds of thousands of messages, right. Trying to piece this all together step by step and trying to get into the head of the adversaries whilst they're. Because the chat messages are live from when they're actually dealing with it at the time of the event. So you can really feel like you're Sat in the room with them, watching them, trying to handle this. You almost. One of the sudden realizations I had while I was going through these messages was that it almost feels like you're some sort of, you know, government agency that's, you know, gained access to all of these internal communications. But the fact that they've leaked, they've kind of, you know, we all have access to it. So that's really interesting. But basically, from going through these chats, you know, as I was starting to uncover the mystery of this Ascension Health incident, I was coming across all sorts of interesting messages. In one case, to another company, they demanded a 28.7 million US dollar ransom initially. And then there's another message I came across where one of the companies agreed to pay, like a $750,000 ransom from the UK. So it's all sorts of really crazy stuff in these chat logs, but as I started to pick up on this case of Ascension Health, I could see the adversaries going from, yes, from thinking that it's going to be a massive payday, to suddenly having regret, having instant regret, being worried about people dying and having cancer patients, delayed appointments, or the maternity ward being impacted and ambulances being redirected. So as the news was breaking about the attack, the ransomware gang was actually paying attention to that as the news broke and sharing it amongst themselves, making comments. And there was this very poignant message that some of them were repeating, which was, we are pen testers and not killers. Which is a pretty interesting thing to come across without. This is something we would learn without ever seeing it ourselves, without having access to this chat log. But it's quite evident from these messages, as they were handling the intrusion, that they began to realize basically a massive mistake that they've made. And the money, the idea of getting millions of dollars quickly turned into panic and paranoia.
B
Your blog post mentions that the EO eventually just gave up and gave as sanctioned the free decryption key, correct?
A
Yeah. So this is like. That was probably one of the most interesting findings, was that from the news, we kind of hear about Ascension getting attacked, and then we hear about a source close to the incident anonymously told the media that it was Black Basta. And that's kind of all we really knew until Pink Ascension's financial declarations came out, and we heard about how many people were impacted, which was something like 5.6 million patients. And then, you know, how long they were out. So out for like six weeks. But the funny thing is, like, the ransomware gang decided to basically give up and realize that they made such a massive mistake that they're going to give the decryptor over and even delete the data and even share a screenshot proving that they've deleted the data. And this is actually a very similar scenario to a situation I also investigated back in, I believe in 2021 or 2022, which was when the Irish health service executive, the Irish hse, was attacked by Conti. I actually came across the negotiation chat logs between the Irish HSE and Conti as well. And Conti actually did the same thing. So Conti actually decided to give the Irish HSE a free decryptor as well. And as we know, Blackbasta is actually basically made up of former Conti members. So it seems to be something that they recognize as, you know, kind of a playbook. Right. Once, once you hit a medical center, once it breaks the news, then you kind of step away, give up, and give over the free decryptors.
B
I'm glad that's also one of the things you saw in the chats, because my take was true that they were very afraid of damaging outcomes such as loss of life. They also fear major or outages, such as a similar incident from what happened Colonial Pipeline, where it caused massive fuel outages across the US and then the White House eventually put pressure on Russia, the Kremlin, and that led to arrests in Russia of ransomware operators, which was kind of shocking at the time when it happened because they rarely do anything against ransomware gangs. Now what I see there is a fear that can be exploited, right? Like this actually makes them really, really vulnerable to, let's say, posting stories, PR setup, or like, you can just manipulate them. Just if you're a victim, you can go to journalists and say, oh my God, people lives at risk. We might stop the surface to a huge chunk of the U.S. like, do you see this as a weakness on their part that can be exploited by law enforcement and victims to obtain a free decryption key?
A
I kind of can see that being an option. That's one of the main takeaways I try to explain in the blog is the fact that, yes, they are afraid of their own government. Right? Like, a lot of these ransomware gangs are based in Russia. They have members based in Russia, other countries as well. Maybe even there's kind of a trend of Russian nationals living abroad launching these ransomware attacks are the ones that we hear about being arrested. All the others are probably safely tucked up within the country. But they do actually appear to have a Fear of getting arrested by their own, you know, the police, but because of causing too big of an international incident. The funny thing about ransomware is if you do hit the wrong network, it can have real sprawling physical, real world impacts. Like with Colonial Pipeline. I think to most ransomware gangs that was basically a red line for them. They said, let's not attack giant organizations, critical infrastructure organizations, because then it's going to come back on us and have blowback on us. And they kind of assume that their own government knows who they are, it seems, and it's not too surprising really. But the fact that because of such other incidents have taken place, they are now appear to be a lot more cautious about who they attack or even if they do end up attacking, then they just kind of give over a free decryptor. I think the other thing to point out with these ransomware gangs is there seems to be kind of, it's not the most well organized type of structure, right? It seems to be, you know, that there's a management level that deals with, you know, ransom negotiations and money laundering and data leak, running the data leak blog and that kind of stuff. But then you also have these affiliates and these initial access brokers that are kind of a little bit disconnected right from the, you know, the main group, the RAAS operators, so to speak. And the affiliates are the ones that ultimately push the button to encrypt the systems. Right. And they don't really seem to have as much control over those as we think.
B
They also push for ransom payments rather than free decryption keys, or at least that's what I understood when reading those chats. Like they're the rogue elements in these services usually. Like even if they know a RAAS platform has rules, they rarely stick to them. So that's what I got from it.
A
Yeah, I think that's a valid point to take away as well. You know, there was multiple occasions where this happened with lockbit as well. In the lockbit ras they particularly had rules that said you cannot attack hospitals. There was numerous occasions where they still did anyway. So yeah, it is the affiliates that are the ones that there's kind of a lot of power in their hands and there's not that much control over them.
B
Well, from the leaked chats, it was also very obvious that Black Bastard was absolutely terrified of CISA and the FBI, probably because they feared a hack back action, maybe sanctions and more like they're really, really scared of US authorities now. Did you get the same feeling from reading all these chats?
A
I did I did. I got the same feeling. They mentioned it multiple times. They even mentioned takedowns by the FBI of the various botnets that they interact with. So a lot of these ransomware gangs, they gain initial access via sort of malicious email spam campaigns, or mal spam campaigns, as we call them as researchers. And one of the main mal spam campaigns that blackmaster used to rely on was Quackbot for initial access. And then the FBI basically were able to hack back, get into the command and control servers, and uninstall the entire botnet. So that was a major disruption for them that probably, you know, cost them a lot of money to kind of rebuild and retool. And for these ransomware games, it's all about the money, right? Anytime you can impose cost on them, you can, you can cause them to lose money, that is definitely going to alter their behavior. And then the other thing they mentioned as they were thinking about dealing with this case and how they're going to get the highest ransom, whether they're even going to get a ransom payment, is they were mentioning, yes, things like sanctions. So Evil Corp, another ransomware gang, has been sanctioned by the U.S. treasury OFAC Department. And basically, anytime an organization is hit by a ransomware family affiliated with Evil Corp, the companies were very, the victims were very reluctant to ever pay the ransom due to these sanctions. So for ransomware gangs, getting sanctioned is not great for business. It means they have to rebrand. It means they have to try and they go offline and go undercover for a bit and pop up later, potentially, or retooled. So it's really bad for business for them, obviously, de anonymization, that's another bad for business for them, because then everyone in the world, law enforcement, intelligence services, everyone in the world knows who they are. So they can no longer travel and they're at risk of being locked up by their own country, whether that's Russia or somewhere else.
B
Now, I asked that question because if we look at what's happening in the US Right now, and we're seeing what the US Government is doing to itself with all these mass firings, we think these layoffs at CISA and the FBI would probably embolden gangs again to become more aggressive. Since both agencies may be a little bit shorthanded in the foreseeable future, I.
A
Think that's potentially a concern to be worried about. But, I mean, the European agencies are definitely still very active. You've got Europol and the NDA, Dutch and German police. You know, they are, they are at full Capacity, really. And firing on all cylinders against these ransomware gangs without the US Though, you know, that would be a big hit to capabilities and just knowledge really. And unfortunately with these mass firings, a lot of those people who've dedicated their lives to law enforcement are going to be probably going to the private sector and working with all sorts of CTI vendors and other type of investigation companies. So it's not necessarily that the talent is lost, but it's just going to be hard to come by.
B
One particular line in the chat that drew my attention was the one about holding a meeting in the office. You know it. Since it's also on your report. We've seen several Russian icrime groups basically work as fake pen testing companies. Do you get a feeling from reading all these chats that Black Basta might be one of those groups or at least the top brass might work from the same place?
A
Yeah, that was a really interesting message I caught as well. And as there are other discussions of a so called office. Yeah, it is well known in sort of the ransomware research community that some ransomware gangs have, have in fact got their own sort of front company or actual office space to conduct meetings with the team or launch attacks from. Even back in 2022 we had the Conti leaks and I also analyzed those chat logs as well with a similar methodology that I'm using to go through these Ascension Health related chat logs. And again, there was mentions of an office, there was mentions of another team. There were. So if you feel, if you're, if you're another researcher and you're going through these chat logs yourselves, you need to pay attention to the fact that some of the conversations may seem like they abruptly end or pick up on on something that you're not quite sure. There's probably some conversations going on in real life in a physical office that aren't being captured here. And yeah, I mean, there's been examples of Evil Corp, as I mentioned earlier, they are known to have an office as well. And I think the Joe Tidy from the BBC even traveled to Russia and actually tried to, you know, call the Office and try and see if there was anyone in. I don't think anyone answered, but it was kind of a funny situation.
B
Now, ever since this leaked, there's been a few theories about why they leaked, why these chats leaked. Some have attributed these to one of the group's members leaking the chest because one of the main blockbuster leaders attacked Russian banks with a brute force attack. But this doesn't, doesn't actually sound well to me and I'll explain why. Based on what? Prodaft claimed the leak occurred weeks after the group kind of stopped attacks altogether. Like if you ask me, this has nothing to do with those attacks on Russian banks. This looks like good old reputation trashing. Maybe, maybe not even someone from inside the gang. Maybe a rival gang wants to trust the reputation of blackbast admins and kind of steal all their affiliates if you ask me. What are your thoughts on this? Did you look at why and who might have leaked this?
A
I haven't been able to really ascertain exactly who has leaked these files and shared them to Telegram and things. It is hard at the end of the day to try and and figure these things out if someone's not going to disclose it. I mean thinking back to other leaks I've analyzed, we had isoon and the isoon leaks was basically it could have only really have been done by an ex or current employee just due to the high level of access that they had. So whoever had managed to get into the Blackmaster Matrix server, which is a self hosted chat server. So you can't just managed to figure out how to find an invite and get in or something like that. It's not like a discord server of people coming and going. This is like a purpose built, end to end encrypted chatting server that they created just to launch their operations. They weren't using someone else's platform. Whether they patched all their vulnerabilities and so on managed to exploit it, that's another question. But it's unlikely that law enforcement would really dump the these messages to the public. They would probably more be more tactical and try and use it for sanctions and de anonymization and things themselves. So this like trying to do some sort of analysis of competing hypotheses and trying to discount different theories. You know, my gut feeling would be yes, there's some sort of insider someone who managed to get access or someone was part of the group, whether it was a Ukrainian researcher like the Conti Leagues or some sort of ex affiliate who's become, you know, trying to knock out one of their competitors. I think those are the sort of two most likely scenarios in this case.
B
Now that just also showed how quick the group went from oopsie, we did a bad thing to time to rebrand. What do you think? Rebranding is such a popular break window in case of emergency mechanisms for these groups. Does it actually give them some breathing room from authorities and researchers like you?
A
Yeah, I say it's quite funny because of who are the people who kind of interact with ransomware groups the most. If you think about it from a victim perspective, you have when a victim gets hit by a ransomware attack, you have the incident responders that come in, you have the cyber insurance that comes in, and they work together to try and figure out the situation and help the victim recover. Those are the types of people and organizations then cover ransomware gangs first, and then you. Eventually you'll have law enforcement involved, hopefully as early on as possible as most ransomware victims should contact law enforcement as soon as possible because they may have a decryptor and things as well. Right. But it's pretty. For a ransomware gang to do a rebrand, it's really hard. Well, I shouldn't say it's hard. It's actually, it's really hard for us to know, to take the time and figure out if they are connected to each other. Right. So from the time of Conti going down, shutting down, shutting off the leak sites and things to Blackbasta, Akira Royal, all these other brands popping up was pretty short, I think. Conti shut down in April and blackbasta appeared in April. So one method you can take is just purely by looking at leak sites. When one leak site goes down, which other leak site popped up recently and do they look kind of similar? Do they operate in a similar way? There's all sorts of ways you can tell that. But as a ransomware gang, it's not really that hard to do a rebrand, in my opinion. You know, all you do is change the kind of binary name. Well, if you want to make it really easy, you know, you could just change the leak site branding and you just change the HTML and css. It's not really that hard. But if you're truly trying to completely fool the security community, you know, security research community, for an extended amount of time, they have to retool everything. Basically, it comes back to this old adage of the pyramid of pain. It's really hard for attackers to change their behaviors. Their ttps, their tools are pretty much, you can track a malware binary based on the code that they've written. If the code hasn't changed much, you can find those technical overlaps. You can link them together that way. If they're using the same exploit and they're launching an intrusion against the network, the same way you can track them that way. It's really hard for attackers to ultimately change these ttps. And that's how, as researchers, we can track and make the connections between the sort of the original brand and the rebrand.
B
Now, at the time we're recording this threat, intel firm Kela also released a report on this leak. And if you haven't gotten to read it, the report also looks at a blkbasta intrusion. You looked at ncension, they looked at a Brazilian company, and just like you noticed it, they also noticed a gigantic dwell time in that case to like almost a month. Like, I know in your report you said blackbasta sat and Ascension Network for months before triggering their attack. This is what I found to be the most shocking part of the leak. Like, I know the leak also mentions the real name of one of the blackbast admins, but I actually found this the most shocking parts of the leak because the this goes against everything you know about ransomware gangs and all the recent infosec reports that say that ransomware gangs are the fastest in their attacks. From all your CTI experience of looking at ransomware gangs is blockbuster, just lazier than other groups. Do they have just very few affiliates? Do they have too many hacked networks and initial access points to deal with in a timely manner? What's going on here?
A
Yeah, good question. I think as a ransomware gang, they are. You have to kind of remember that there's kind of a skill limit to how good ransomware gangs are. A lot of them are reusing tools like Cobalt Strike, Mimi Cats, all this kind of credential harvesting and lateral movement tools that I've even managed to build the ransomware tool matrix. And there's dozens of ransomware gangs all using the same tools. So it's not actually that hard to stop a ransomware attack if you have the right tools in place and controls in place. However, if you're a ransomware game like Backbaster and you want to go after a very big target, then they have to be a little bit more methodical. They have to understand their target a bit better to try and get into the most critical system, such as the domain controller or the hypervisor or something like that, to really impact them and to really be able to hit them where it hurts so that they can't recover, including backups and things, and then stealing enough data as well. It takes time. So if you want to try and get into a really large organization, because then you can maximize your sort of ransom demand, then the adversaries need to kind of be a bit more methodical about it. And if anything, Blackmaster was pretty methodical, right? They had all these custom malware botnets that they're under the control. They had these interesting elaborate social engineering capabilities including vishing and this kind of stuff. And they actually have. They're pretty experienced operators. They've been part of Conti. You know, some of those operators have probably been running ransomware attacks for the last five, six years. So these guys know exactly what they're doing. They know how to do a ransomware attack. They're not amateurs. And that's probably why we see some of these longer dwell times or longer time to ransoms, from sort of reconnaissance to actually running the binary on target systems. Because they know it's worth the wait, right? They know it's worth. If we just methodically go from this endpoint to this one, we steal this data from this server, if we complete all these steps, then our chances of getting a multibillion dollar ransom are pretty high compared to amateurs who may just rdp a few things, move laterally, run ransomware and hope for the best.
B
Well, those were some really great insights. Thank you for your time today.
A
Thanks very much. Appreciate it.
Risky Bulletin Episode Summary: RBTALKS6 with Will Thomas on the Black Basta Leaks
Released on March 4, 2025
Introduction
In the sixth episode of Risky Bulletin (RBTALKS6), host Kathleen Campano engages in an in-depth conversation with cybersecurity expert Will Thomas. The focus of their discussion centers on the recent leaks of internal communications from the Black Basta ransomware group. These revelations shed light on the group's operations, decision-making processes, and the broader implications for cybersecurity and law enforcement.
Background on the Black Basta Leak
Kathleen Campano (B):
"I invited Will to have a chat about something that happened earlier this month when internal chats leaked from the Black Basta ransomware group..." [00:19]
The leak, attributed to an individual known as "bastawhisperer," exposed approximately 200,000 messages from Black Basta's internal Matrix chat server, covering a year of the group's activities from September 2023 to September 2024. Despite significant dissemination across hacking forums, Telegram, and Mega, the origin of the leak remains unidentified.
Will Thomas (A):
"It almost feels like you're some sort of government agency that's gained access to all of these internal communications..." [02:11]
Thomas emphasizes the unprecedented access researchers have to the gang's internal deliberations, offering a rare glimpse into their operational mindset.
Analysis of the Ascension Health Attack
One of the central topics discussed is Black Basta's ransomware attack on Ascension Health, a major U.S. healthcare provider. This incident occurred shortly after a similar attack on Change Healthcare, which had disrupted the U.S. medical system significantly.
Thomas:
"As the news was breaking about the attack, the ransomware gang was actually paying attention to that as the news broke and sharing it amongst themselves..." [02:19]
Initially, Black Basta viewed the Ascension attack as a lucrative opportunity, demanding ransoms upwards of $28.7 million. However, as the gravity of the situation became apparent—impacting millions of patients and critical healthcare operations—the group's internal communications revealed a shift from greed to regret.
Notable Quote:
"We are pen testers and not killers." [02:35] – Will Thomas
This statement underscores a moment of ethical introspection within the group, contrasting their criminal activities with their self-perception.
Ransomware Gangs' Fear of Authorities
The discussion delves into Black Basta's apprehension towards law enforcement agencies like CISA and the FBI. Thomas highlights how these fears influence the group's operational decisions, including the cessation of attacks on major targets to avoid severe repercussions.
Thomas:
"They [Black Basta] mentioned takedowns by the FBI of the various botnets that they interact with..." [10:46]
This fear extends to concerns about sanctions and de-anonymization, which can severely disrupt the gang's operations and reputation.
Campano:
"...they are really, really scared of US authorities now." [10:29]
The fear of legal consequences acts as a deterrent, prompting the group to adopt more cautious strategies in their ransomware endeavors.
Rebranding and Organizational Structure of Ransomware Groups
A significant portion of the conversation addresses the phenomenon of ransomware groups rebranding to evade detection and continue their illicit activities. Black Basta's quick pivot following the Ascension Health leak is emblematic of this trend.
Thomas:
"From Conti going down, shutting down, shutting off the leak sites and things to Black Basta, Akira Royal, all these other brands popping up was pretty short..." [18:40]
Rebranding allows these groups to maintain operational continuity despite setbacks. However, Thomas notes that while superficial changes are easy, altering underlying tactics, techniques, and procedures (TTPs) is challenging, enabling researchers to track and link different iterations of the group.
Notable Quote:
"If you do hit the wrong network, it can have real sprawling physical, real world impacts." [06:40] – Will Thomas
This highlights the tangible consequences of ransomware attacks, reinforcing the necessity for robust cybersecurity measures.
Implications for Cybersecurity and Law Enforcement
The episode concludes with reflections on the broader implications of the Black Basta leaks. Thomas suggests that while rebranding provides temporary relief for ransomware groups, persistent tracking of TTPs by cybersecurity professionals can mitigate their long-term efficacy.
Thomas:
"It's really hard for attackers to ultimately change these ttps. And that's how, as researchers, we can track and make the connections between the sort of the original brand and the rebrand." [18:40]
Additionally, Thomas cautions about potential vulnerabilities arising from workforce reductions in agencies like CISA and the FBI, which could embolden ransomware gangs if not addressed.
Campano:
"Now, if we look at what's happening in the US Right now, and we're seeing what the US Government is doing to itself with all these mass firings..." [12:46]
Overall, the episode underscores the dynamic interplay between ransomware operators and cybersecurity defenses, emphasizing the need for continuous vigilance and adaptive strategies.
Conclusion
The Risky Bulletin episode featuring Will Thomas provides a comprehensive examination of the Black Basta leaks, offering valuable insights into the operational intricacies of ransomware groups. By dissecting internal communications, Thomas illuminates the psychological and strategic factors influencing these cybercriminals, while also highlighting the critical role of cybersecurity professionals and law enforcement in countering such threats.
Notable Takeaways:
This summary is intended for informational purposes and reflects the discussions held in the Risky Bulletin podcast episode with Will Thomas.