Black Basta Leak: New Findings Reveal Victim Details

Last week, we issued a new report on Black Basta’s leak exposing their inner workings. 

As expected, since publishing our report, KELA’s Cyber Intelligence Center has new information and analysis on the victim selection inBlack Basta’s reconnaissance strategies.

KELA discovered that at least 11% of the ZoomInfo links shared in Black Basta communications were later associated with companies that appeared as confirmed ransomware victims, such as ZircoDATA, Beko Technologies, Duty Free Americas, Fortive Corporation, Peco Foods, and many more. Of note, the average number of days between when a victim’s ZoomInfo profile was first discussed in Black Basta’s internal chats and when they were posted on the ransomware blog is approximately 75 days.

Over the years of Black Basta’s activity, KELA has tracked over 600 ransomware victims of this group, with nearly 60% based in the U.S., followed by 12% in Germany, 8% in the U.K., and 7% in Canada. Industry-wise, one in four victims belonged to the manufacturing sector, while nearly one in five were in professional services. In leaked chats of Black Basta, KELA identified at least 368 companies that had their ZoomInfo profiles referenced, and roughly 42 companies (11%), were later confirmed as breached.

Tracing an Attack: From initial access on sale to a ransom attack

Initial access

On February 5, 2024, a first discussion of Australia-based company ZircoDATA appeared, with the information about its Citrix environment and cloud infrastructure, as well as credentials. It included a link to a ZoomInfo business profile of ZircoDATA, mentioning ~663 PCs, suggesting potential reconnaissance or enumeration activities. 



A message sent in the Black Basta chats on February 5, 2024

Interestingly, only several days before, on January 24, 2024, access to the ZircoDATA was offered for sale by the threat actor ‘crypmans’ on the Exploit forum. KELA had previously identified the victim based on the match of the actor’s description and publicly available information about the company. The actor specified the access as RDP and claimed the same number of PCs, possibly meaning that this access was bought by Black Basta to start their attack.  The access was offered for sale in an auction form, starting with a bid of USD1500 and was sold on the same day.

Lateral movement

In two hours after ZircoDATA was first discussed by Black Basta, additional ZircoDATA’s credentials were shared, apparently to different users of the same asset. Only six hours later, another Black Basta member shared the same message with a remark “DONE”, potentially meaning the gang has successfully gained initial access to the network. Over the following days, the attackers have shared multiple ZircoDATA’s credentials to various services.

On February 8, the attackers discussed that they need to prepare a blog post to threaten the victim, signalling that the data exfiltration and ransomware deployment has been completed.

Claiming the attack and leaking the data

On February 22, 2024, ZircoDATA was published as a victim on Black Basta’s blog, probably after failed negotiations. In their blog posts, Black Basta was seen boasting about stealing 395GB of ZircoDATA archives. In May 2024, it was revealed that data included 4,000 documents from Monash Medical Center, including records related to family violence and sexual support clinics, and 60,000 documents related to students of Melbourne Polytechnic. 



Black Basta claims ZircoDATA as a victim

Recommendations 

This example highlights the importance of how monitoring network access sales can help prevent a bigger attack.

Despite KELA’s efforts to date, organizations can still be at risk.  If you want to confirm if your company was featured in Black Basta’s chats, please reach out to our KELA team.

The Black Basta report is also available here, and next week you can join an exclusive webinar, where Irina Nesterovsky, Chief Research Officer, will break down Black Basta’s latest tactics, their attack playbook, and what you can do right now to stay ahead. Registration link coming soon.