Cyber threats
Barometer

On February 11, 2025, a major leak of internal messages exposed the inner workings of the ransomware group Black Basta. Published anonymously on Telegram, these internal exchanges, covering a period of one year, provide an unprecedented insight into the group’s tactics, techniques and procedures (TTPs). This event marks a turning point in the fight against cybercrime, offering cybersecurity analysts valuable information on the operating methods of one of the most active groups in the ransomware sphere.

Analysis of the leaked documents highlights several key elements, including target selection. Black Basta favored highly profitable companies in the financial, legal and healthcare sectors, but also targeted critical infrastructure and technology companies. Targeted organizations include Hyundai Motor Europe (automotive), Rheinmetall (defense), Capita (IT services) and BT Group (telecommunications). These strategic choices demonstrate a willingness to exploit multiple sectors to maximize financial gains.

The messages reveal that the group relied on specialized tools such as Cobalt Strike, while exploiting known vulnerabilities in critical technologies such as Citrix, Fortinet and Microsoft. Particular attention was paid to recently disclosed flaws, allowing attackers to maximize their impact before patches were applied. This proactive approach highlights the technical sophistication of Black Basta and its ability to quickly adapt its methods to the opportunities offered by emerging vulnerabilities.

Internal exchanges also highlight growing tensions within the group. Strategic differences on attack methods and ransom distribution are documented. For example, some operators have diverted ransom payments without providing the decryption tools to the victims. These internal conflicts are reminiscent of those observed within the Conti group, whose communications leaks precipitated its decline. However, it is too early to say whether Black Basta will suffer the same fate or restructure.

Tactics, Techniques & Procedures (TTP) refer to all the methods used by a malicious actor to carry out an attack, from initialization to the execution of its objectives.

• Tactics represent the “why” of an attack, i.e. the objectives sought by the adversary (e.g. persistence, lateral movement, data exfiltration).
• The techniques describe the “how”, i.e. the means used to achieve these objectives (e.g. theft of identifiers, exploitation of vulnerabilities, abuse of system tools).
• The procedures detail the specific implementations of a technique observed in real attacks.

TTPs are a central concept in Threat Intelligence, used in several models such as the Pyramid of Pain, where they are considered the most difficult indicator for an attacker to modify. MITRE ATT&CK relies on this principle to structure and classify adversarial behaviors in a detailed repository.

In the case of Black Basta, the leak of internal exchanges highlighted several TTPs, including the exploitation of zero-click vulnerabilities (Microsoft Outlook, Juniper SRX firewalls) to compromise systems without user interaction, the use of Mimikatz for password extraction and privilege escalation, and the use of Cobalt Strike and VPN proxies to ensure persistence and lateral movement within compromised networks.

Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.