Inside Ransomware: Facts and Findings from the Blackbasta and Lockbit Leaks

So, uh, how's everybody doing today? Hope you're, uh, >> having a good Saturday. Juan is amazing, of course. Always is. Uh, appreciate you all coming out. Uh, just want to say thanks, uh, to all the organizers, uh, Pierce. Uh, so, you're going to find out shortly here. I'm part of Red Team Village. Uh, Pierce, uh, is the, uh, the village lead who's been doing a great job. So, I want to say thanks to him. Uh I want to say thanks to uh Huxley for who's the lead organizer here for all the work they do. There's a lot of time and effort and energy uh that goes into putting on a bid. Uh so just want to say

thanks for everyone for showing up. Uh thanks to the organizers uh for putting this on and and uh making it happen. So we're a few minutes early. So this is just me uh killing a few minutes, but I think we'll get going. Uh for those of you that don't know me, my name is Corey Wolf. I am uh the director of offensive security at a cyber security consulting firm called Risk 360. Uh we're based just outside of Atlanta. Uh technically uh Roswell, Georgia, but we're based in Atlanta. I'm director of offsec there. My team does all the red teaming, penetration testing. Uh we also have a threat intelligence team uh that works uh uh under my uh my division. You're

good. Yeah. See, so I should have uh this is actually the boring stuff of me just telling you who I am. So this is good. Uh but uh yeah, director of OSC risk 360 uh based in uh Atlanta. Uh I'm also part of the core team of Red Team Village, which I mentioned just a few minutes ago. If you're not familiar with Red Team Village, uh we got our start at Defcon. Uh we've been uh at Defcon now I think the first year was 2016. Um part of the core team there. I've been a part of that for the past four or five years. I'm the director of workshops and training. So, if you've ever submitted a talk or a workshop, I

shouldn't say talk, actually a tactic or a workshop at Red Team Village, uh it's been myself and uh my team that's that's gone through those and put the scheduling together. We don't do talks at the village. Uh we just do tactics which are hands-on activities uh that you can do yourself and then workshops which are hands-on activities led by an instructor. So, if you've seen the title, uh, today we're going to talk through two leaks. Uh, one from Blackbast and one from Blackpit. Uh, all the data that I'm going to talk about today, you can view for yourself. Uh, this is public information. Well, we we released it publicly. Uh, so that you can go ahead

and browse through this data yourself. Uh we thought this was a good move because it's it's interesting for different researchers and different people to be able to go and see uh what this data looks like, what the threat actors are doing. Uh and hopefully you can gain some of your own insights from it. Uh today we will talk through some of them uh and I'm going to call out a couple interesting things that we saw. So what happened? So, we got a pretty interesting look uh this year uh into some internal um workings of two ransomware crews, Black Basta and Lockpit. This is rare because most of the threat intelligence that we have around these

threat actors is typically based on uh you know uh intelligence like you know uh government intelligence reports uh whether one of these threat actors is indicted or whatever it might be. Uh we get information that way. Uh the other way that we get information about these groups is when they just go on and brag, which they do a lot of, but when they go and they brag and you know X or or Telegram channels or wherever it might be, but they brag publicly. But this year was very interesting because there were there were two big leaks. Now in 2023, uh there was a a ransomware crew named Ki who in 2022 did approximately $200 million. uh they

brought in about $200 million in 2022 and then in 2023 uh their internal group chat leaks uh the chat messages were leaked. They disbanded uh and they actually went on most of them went on to form Black Basta who we're going to talk about today. Uh but it's a pretty big business. Uh and uh the last time that we saw leaks of this magnitude were was about 2023 with the Ki leaks. So what happened? So in February of this year, a um Telegram user with the name Exploit Whispers went on to a Telegram channel uh and shared over 200,000 Matrix chat messages uh related to Blackbass internal communications. If you're not familiar with Matrix, uh you can think

of like Mastadon, for example. You host your own server. uh you can have chats and that kind of thing. That's basically what Matrix is. We saw a lot of thread actors move to Matrix uh over the past few years. Uh but what happened was that all of the the messages, the internal messages, so their Slack group. Now, you got to keep in mind a lot of these groups are 50, 100 people, 150 people. They're they're big, right? uh they're bigger than most small businesses. Uh again, going back to Kanti, $200 million in revenue, we'll call it revenue. Uh in 2022, uh they were a group of about 150 people, right? And so this Matrix server

was essentially for all intents and purposes their Slack channel, their Slack uh server, right? That's what it was. Now, this user just kind of came out of nowhere and said, "Hey, here's 200,000 messages." Uh, they claimed that Black Basta had crossed the line by um uh by attacking Russian banks. So, if you're not familiar with this ecosystem, most of these ransomware crews are based in Russia. Most of them operate with immunity as far as Russia goes, uh with the caveat of don't touch Russian entities. And so they don't, right? They primarily target US uh European organizations and of course nothing happens because they're based in Russia. Russia doesn't press charges. They uh they went after some Russian

banks and exploit whispers claimed that this was payback. Uh basically you messed up. We're going to release everything. Same thing happened. So Wakanti 2023 their chat messages were leaked. they disbanded. Most of them went on to claim uh to create Blackbasta in 2025. Black Basta's chats were leaked and they disbanded. Uh Blackbasta hasn't been active in a while. Uh the the people that were part of Blackbass, I'm sure are, but uh the group itself uh hasn't been active since uh May, I think. So, that's first part of what happened. We don't get a lot of this intelligence, but uh this spring we got about 200,000 internal messages from Black Basta. The second thing that happened this year

uh in May uh Lockpit uh so Lockpit has tons of sites. There's their blog where they, you know, they release uh data, they talk about their victims, there's their admin panels, there's all kinds of different stuff. There's just straight websites that just host data. Um, and then there's affiliate panels. So, uh, again, for those of you that are not familiar, uh, the way that ransomware as a service works is that there's a crew. In this case, we're talking about Lockbit. uh they create a platform to where anyone can sign up to be an affiliate uh and use their infrastructure, use BlackB's infrastructure, use their encryptors, use all their stuff to basically be a ransomware uh threat actor in ransom

organizations. Conti again 200 million in revenue roughly in 2022. About half of that revenue came from ransomware as a service. So them not actually performing the attacks but instead providing the infrastructure to do so. In May, Lockbit's affiliate site uh was uh defaced and a link was uh included uh that went to an SQL dump of the database of this affiliate site. So, this included all kinds of good stuff. Uh it uh but it was at the end of the day what it was is some thread actor had gained access to block bits affiliate site defaced it dumped the database and included a link to do it. This was actually the second time. So if

uh I'm not sure how well you can see that but the message says don't do crime crime is bad. XOXO from Prague. Interestingly enough, uh another ransomware crews uh website was defaced a few months before with the same exact message. Crime is bad. Uh however, in that case, a link was not included uh to any sort of data related to the threat actor. Uh with lock bed, it was so database included [sighs] quite a bit of information included a table on Bitcoin addresses, roughly 60,000 Bitcoin addresses related to affiliates. Uh that's a lot. Uh so there were they the way lockbit is generally a little bit more um advanced. So lockbit was one of the first ransomware crews might have

been the first ransomware crew to actually have a Linux encryptor. So most ransomware is done in active directory environments. It's Windowsbased. Uh Lockbit was one of the first to do it uh to do it for Linux. Uh but if you sign up to be an affiliate with Lockbit, you know, you go into your account and say you gained access to a victim, you go into your lockpit account and you you do a new build for that specific victim and there's different information tied to that build, you know, victim uh name of course, but one of those other things that would happen is it would spin up a new Bitcoin address and it would spin up

anywhere from 10 to 20 additional addresses for uh um cleaning the Bitcoin for basically to put into a Bitcoin tumbler. So there's 60,000 Bitcoin addresses. A lot of them don't have anything in them. A couple of them did. Uh but at the end of the day, they were they were tracking about 60,000 of them. There was over 4,000 chats related to negotiation messages. So when an organization actually gets that you've been ransomware uh message, it's game over. They've xfilled data. They've already done everything. There's not there's nothing you can do. but that hey uh you've been ransomware go to this site uh which basically includes it's a chat portal for you know for them the victim

to go and negotiate with the ransomware um actor. This database had about 4,000 of those messages uh between victims and lockpit themselves uh talking through negotiations. There were about 75 affiliate and admin accounts. Um there were some point text passwords in there. Um but you know there were about 75 affiliates uh builds and build configurations. So this is a one where again if you had a new victim or you had gained access to a victim and you were ready to perform ransomware in that network you would go into the affiliate panel you would do a new build uh it would spit out depending on what you were doing um maybe a a net assembly or an executable or whatever it

is it would spit that out. uh these tables contained all the information information related to those builds. So, lots of uh good threat intelligence this year. Uh Lockpit and the federal government uh specifically the FBI if you're not familiar have been going well they went back and forth [clears throat] January to March, April or so. So they were going back and forth to where lock the gentleman's name is lockbit uh was the is the leader of the lockbit ransomware crew. Uh he was doxed by the federal government. They put out his real identity. They put out pictures of him. They said he loves going to I forget where Starbucks or whatever. But they they show that basically they know

who you know they knew who he was. uh they knew where he liked to frequent, what he did, all this kind of stuff. Uh and he took that FBI wanted poster and put it on a t-shirt. So there's a couple Twitter posts out there. Point being is uh Lockpit and a lot of intelligence agencies, but primarily the FBI went back and forth for months uh until lockpit was actually taken down in a joint operation. a lot of their infrastructure was taken down I think in May of this year. They came back again. Then their affiliate site was defaced. Uh they they've been gone for a little bit. And actually just last week I saw that Lock Bit uh Quillin

[clears throat] and one other ransomware crew I the name is escaping me right now. Uh but they basically have created a um group uh that will share infrastructure, you know, you name it. They're basically just like a, you know, like a industry trade group uh working together. Quillin is a Chinese ransomware uh actor, which is interesting to see the actual Chinese ransomware uh crews and a Russian uh ransomware crew, you know, work together in a somewhat formal fashion. But that's what happened. and we got a lot of good intelligence out of this. So, what we're going to talk about uh today for the next uh looks like 15 minutes or so is some facts and findings about through

this data uh what actually happened uh some insights that myself and my team got from this data um and and what it looks like today. So, fact number one, it's incredibly easy to get started. So, I mentioned if you're an affiliate, you can go and sign up. Lockpit is not the only crew to do this. Uh the screenshot that you're looking at now is from their most recent lockpit 5.0 uh campaign to where they came back again for a fifth time. Uh but in the screenshot, this is directly from their um their uh dark website to where it basically says send us 777 I think. Yeah, $777. Uh once we receive payment, you will get

an account and you too can be a ransomware actor. Uh it's incredibly easy to get started. So, you know, if if if I wanted to be a ransomware actor tomorrow, I could do it. I'm not going to, but you know, I Where's the camera? I'm not going to, but I could. It's incredibly easy. Uh and this goes for any ransomware as a service uh threat actor. Uh it's it's extremely easy. Uh they also do their research. So like I mentioned before, the data from Blackbass and Lockpit is available for you to go look. Uh but if we go and do a quick search of these Blackbasta chats, there's basically, you probably can't see it too well, but there's 776

results in those Black Basta chats related to Zoom info. So does everybody know what Zoom info is? basically gives you information on companies, their revenue, their employee count, you can see or structures. It's pretty creepy, but you can basically see everything about a company. And so, they're clearly doing their research. When they ransom an organization and they say, "We want $10 million." They're not just making that number up, right? They are doing their research. They are saying, "Okay, this company does x amount of dollars in revenue every year." um is very clear. Uh I mentioned before that by the time that you see that message that your your infrastructure has been uh ransomware, it's too late. Uh one of the things that

they do before they actually deploy the ransomware is excfiltrate data. So they'll pull all the information and data that they can. Often times that includes financial information. So they know how much your cyber insurance policy is going to pay out. Uh they know how much actual revenue you did. They know everything. Uh, and so they're clearly doing their research and Zoom Info is is a pretty big piece of that and one of their um favorite things to look at because you know they it's a business whether you like it or not. It's a business. This one uh not necessarily trying to stir up the whole uh you know security research debate, but the fact of the matter is

that we are doing a lot of the work for them. They read blogs. Uh they are doing the pentester path on on hackbox. Uh they are going for their OSP. It's not a joke. I mean it's they they are they are they're paying attention to what we're doing. Uh when we come up with some new technique and it's a viable technique, it's used in the wild very quickly. In this screenshot, you're seeing them talk about something called sharpshares.exe, exe which is a net assembly for you guessed it enumerating network SMB shares um that that's that's they're using tools this was made the sharpsh was made for penetration testing uh in this one they're using they're

talking about this is a specific message of how to perform device code fishing with uh a tool set known as road tools my team uses it all the time it does provides ides all kinds of different functionality with the jar and entra. My team uses it all the time. This is an internal message from a ransom smart crew saying this is how you perform device code fishing. You can use this tool to do everything right. Um so they're paying attention to us. They're learning just like anyone here who's trying to get into pentesting for example. And you're looking to try hackme hack the box. You're reading all these blogs. You're looking at all these YouTube channels. They're doing the

exact same thing. um because you know for them it's just it's a job right it's it's their version of pentesting except in Russia uh findings so one thing that I thought was was uh very interesting was I mentioned that there were 4,000 negotiation messages in the lockfit data uh and one of them in and the the thing that you absolutely do not do is ransom a Russian entity. Uh lockbit did by accident. So again these are affiliates remember it's not always you know lockbit proper. Uh but what had happened is if you look at some of these messages uh what you see them talking about is uh you see this right screenshot more than an hour has passed without a response.

What's the status of the issue? We need the decryption tool to proceed. Now, that's pretty straightforward for a victim to be talking to. That's a message from the victim to the to lockpit. You never see victims talk like that. All right. Uh the other thing to call out is that uh these are actually translated. So most of these messages from victims come in in English. These ones were not. These were in Russian. So his Russian language message that came in with a pretty stern, "Hey, we've been waiting an hour. where are you? >> Uh and clearly uh you know if you see the end there uh you have emphasized the importance of reputation and we believe

you will uphold your commitment. The company's IT services are currently down and we need to restore operations as soon as possible. I mean, of course, everyone knows that, but you know, for a victim to be saying this to the crew, uh that's that's you you don't see that in Russian language, mind you. If you continue through uh the the messages here, you'll see lockbit himself. Uh I hope you're everyone's over 18 here, right? Uh I am boss lockbit. Only me can decrypt your files. Wait, please. Uh and then you basically see you see it says advert uh are you targeted encrypted? Basically you target target a Russian um uh entity. Um and you can see at the very last message

there he's basically explaining black bit sub who's pretty tough to the FBI but not so tough to Russian uh entities. Basically saying hey sorry this was an accident you know I'll decrypt it for you. I mentioned that there's that builds uh table as well, which if you go in and you're ready to perform new ransomware, you go into the affiliate panel, you do a build, blah blah blah, you can actually correlate these chat messages to the bills and see who they're talking about. And in fact, who they're talking about in this situation was this website, which happened to be a Russian um entity responsible for roads and bridges, I believe. uh specialized trust trust for

the construction of bridges and embankments. So they accidentally performed ransomware on this Moscow based uh government entity. So lockbit the leader of lockbit never goes into these negotiation messages. It's always some uh customer service rep for lack of a better term that's handling this. And in fact, if you look through the data, you'll even see in these conversations when the victim says, "Hey, can you give me the decryption key, the person at lockbit is saying,"Yeah, tech team isn't online right now. I'll get back to you tomorrow." It's literally like customer service department. So, imagine imagine you have an issue with customer support at Walmart and you're chatting to an online agent and the CEO of Walmart comes in

and is like, "Hey, sorry, my bad." you know, it's all right, we'll get you back. Don't worry about it. That's essentially what happened here. It was a pretty big mess up. Uh and uh he knew that it was an issue and so he did everything he could uh as quickly as possible to remediate it. Uh last one here. So if you're familiar with uh um the Ascension Health uh ransomware incident, it was really bad incident. um and it was carried out by Black Basta. They um started a talk about Ascension Health uh in um March of 2023. So, if we go again and look through these chat messages, you'll see some in there. You'll see in this one particular

message, which there's a screenshot of, you'll see that them they have a whole list of Ascension Health emails. They didn't do anything at that time. they were still kind of just figuring out what it was and what they're going to do. >> Excuse me. >> And then May of 2024, they were attacked and ransomed. So, you know, they for a full year had they might have actually not have actually, you know, started the attack, but for a full year they had information on Ascension Health. They were paying attention to Ascension Health. If they came across anything on the greater internet or access to Ascension Health, they would hop on it. Um, but the point is that they didn't

just say, "Okay, let's go after Ascension Health." And then the next day they ransomware them, right? They didn't. They they were paying attention at least for a year, maybe longer. Who who knows? So, that's uh that's it in a nutshell. There's a lot more information here. Um, you know, this is just a a quick uh overview of of what kind of information is in there. Uh, again, you know, you can view this for yourself if it's something that you're interested in in checking out. Um, this is available for download, for searching, all that kind of good stuff. And, um, that's all I got. [applause]

>> Two minutes early. >> Yeah. What's up? >> Is there any tiering system associated with the affiliates? You mentioned Ascension being a significant attack with a year's worth of research. Is there silver, gold, platinum years of affiliates? >> Uh, in some cases it's not formalized. At least I haven't. I mean, it might be. I I haven't seen it formalized. Uh, but it usually has to do with the the the the percentage cut of the ransom cuz it depends on how much you get. Like a lot of times it'll be like typically it's 20 to 30% of where like in this case lockpit would get 20 to 30% of the overall ransom and the affiliate would

get the rest. >> Change healthcare that's not what happened. Change healthcare paid $22 million. Uh Alv took the money and ran and said sorry. And then Black Hat came back and said nope you pay them you didn't pay us. You need to pay us again and then change healthcare. Pay it again. Anyways that's that's beside the point. Uh, not to my knowledge, but they usually just get better. >> It's implied that there's some sort of structure, but not formalized. >> Not that I'm aware of. I mean, there might be, but I don't know. >> I'm surprised the Russian victim actually worked. Do you have any thoughts about why that actually worked on the like keyboard detection, language

detection? >> Great question. I you know my thought is that they probably don't even check because it's like you if you're about to deploy ransomware you know you're in a Russian entity so like you're not like why even check I mean they do that with like malware like malvertising stuff and all that. Yeah. But that's a good point. My guess is they probably don't even bother because they're like well why are you even going to be running this in a Russian entity you know? So, >> I can see that there are a few more questions, but we have a hard stop. So, what I'm going to do is shut down the PowerPoint, but if you are available for

questions after, you can just uh line up maybe on the side here and have a conversation. >> Sounds good. Thanks everybody. [applause]