Insights into the ransomware business: ChatGPT knows Black Basta's internals
Criminals behind the "ransomware as a service" have fallen out, and now an insider has published chat messages. They provide deep insights.
Data leak at Black Basta
(Image: Erstellt mit KI (Bing Designer) / cku)
The "Black Basta" ransomware has been quiet recently. The operators of the darknet leak site last published victims of their attacks in mid-January. This is apparently due to internal disputes, as has now become known. The brains behind the "Ransomware as a Service" (RaaS) were at odds over attacks on Russian banks, among other things, but apparently also envied each other's unequal wages as thieves. An insider has now leaked chat messages from the organization and published them. Researchers fed them to ChatGPT.
The unknown informant uploaded an archive of almost 50 MB to a share host that provides insights into the structure of the "Black Basta" organization. Behind this name lies a business model that allows criminals access to the ransomware of the same name, as well as infrastructure such as the so-called "Leaksite", in return for payment of a fee and a share of the profits. However, the criminal subscribers to Black Basta, known as "affiliates", carry out attacks at their own risk. A commission, often a percentage of the ransom, flows back to the operators of the ransomware franchise. Many RaaS providers provide affiliates with rules for potential victims – Lockbit, for example, prohibits attacks on targets in CIS countries with reference to the origin of the ransomware program. Affiliates of Black Basta apparently wanted to attack Russian banks out of greed, which was a thorn in the side of at least one player.
Videos by heise
Insights into internal affairs
In addition to all kinds of minor and major disputes about salary payments and personal disputes between Black Basta affiliates, the data leak also contains information that offers security researchers exciting insights into the technical internals of the program. Hudson Rock, a company specializing in threat intelligence, fed the LLM ChatGPT with all the information from the chat logs and trained a ransomware chatbot.
In the familiar ChatGPT guise, the AI now answers all kinds of questions from the curious, such as the most common tactics used by the RaaS program or the people behind the ransomware. The chatbot also reveals details of the negotiations with its victims. For example, the Black Basta affiliates appear to use portals such as ZoomInfo to find out about their victims' turnover before entering into negotiations – and then the criminals pose as serious business people and argue with typical business phrases such as "cumulative end-of-year cash flow".
(Image:Â heise security / cku)
The ransomware chatbot is now available to answer questions – As is typical for OpenAI, registration is required.
Black Basta was one of the most popular RaaS products among criminals. The computer retailer Medion, which belongs to Lenovo, appeared on the leak site in December 2024, and business had been booming in previous years. In 2022 and 2023 in particular, Black Basta generated nine-figure revenues for its criminal users. The current data leak is not the first leak from ransomware groups: Conti's data and source code were already circulating online years ago.
(cku)
