Leaked Chats Expose How Stolen Passwords and 2FA Codes Fuel Ransomware Attacks

A leak of 200,000 internal chat logs from the Black Basta ransomware gang has exposed how stolen passwords and 2FA codes play a crucial role in their attacks. Analysts believe the leak may have originated from an insider, a cyber-vigilante, or a covert law enforcement operation. The logs reveal that Black Basta’s members were previously involved in other major cybercrime groups like Conti, Ryuk, and TrickBot.

The gang primarily gained access through compromised RDP, VPNs, and security portals, with infostealer malware being a key tool for obtaining credentials—sometimes used months after being stolen. Large-scale phishing campaigns targeted Microsoft services to bypass MFA protections, while brute-force attacks exploited vulnerabilities in VPNs and firewalls, including Citrix and SonicWall. Operating like a business, Black Basta formed partnerships with other ransomware groups, selected victims based on financial data, and even monitored cybersecurity reports to track its reputation. Experts warn that without stronger security measures, such as rapid patching, tighter access controls, and swift incident response, organizations will remain vulnerable to ransomware threats.

Leaked Chats Expose How Stolen Passwords and 2FA Codes Fuel Ransomware Attacks

A recent leak of internal chat logs from the Black Basta ransomware gang has provided valuable insight into how these cybercriminals operate. The leaked messages, spanning a year up to September 2024, reveal that Black Basta heavily relied on stolen passwords and two-factor authentication (2FA) codes to launch attacks. Analysts suggest that the leak could have been the work of a disgruntled member, a cyber-vigilante, or even a covert law enforcement operation.

According to Alexander Martin of Recorded Future News, many individuals behind Black Basta were previously involved with other notorious cybercriminal networks, including Conti, Ryuk, and the TrickBot banking trojan. Several of these members have already been sanctioned, with law enforcement agencies continuing to monitor their activities.

Threat intelligence firm KELA conducted a detailed analysis of the logs, uncovering that Black Basta primarily gained initial access to targets through compromised Remote Desktop Protocol (RDP), VPNs, and security portals. Stolen credentials from infostealer malware were a crucial element in these attacks. One case involved an attack on a manufacturing company in Brazil, where credentials stolen six months earlier were used to breach the system. After the attack, these credentials were shared multiple times in various Telegram channels, potentially leading to further compromises.

Ontinue’s Advanced Threat Operations team also reviewed the data, finding that Black Basta used large-scale phishing campaigns to intercept login credentials and session cookies for Microsoft services like Office 365 and Azure, effectively bypassing MFA protections. The gang also leveraged stolen credentials in brute-force attacks against VPNs and firewall solutions, including Citrix, Checkpoint, SonicWall, Pulse Secure, and GlobalProtect.

Saeed Abbasi of the Qualys Threat Research Unit emphasized that Black Basta operated like a business, forming strategic partnerships with other ransomware groups, selecting victims based on financial data, and even monitoring their reputation in cybersecurity reports.

He warned that unless enterprises adopt rigorous patching strategies, tighten access controls, and implement rapid incident response protocols, ransomware gangs will continue to thrive. Organizations must prioritize proactive security measures, including continuous network monitoring, employee cybersecurity training, and the deployment of advanced threat detection systems. Multi-factor authentication (MFA) alone is no longer sufficient, as attackers increasingly exploit stolen session cookies and authentication tokens. Regular security audits, zero-trust architecture, and timely software updates can significantly reduce the risk of ransomware infiltration. Additionally, businesses should establish robust backup and disaster recovery plans to mitigate damage in the event of an attack.