Stolen passwords and 2FA codes are driving ransomware attacks.gettyGoogle recently warned that its about time we started treating cybercrime as a national security threat. If you want to know why then look no further than the ongoing chaos caused by ransomware gangs; from data theft and exposure to ever more ominous warnings to business from the FBI. Its not often that we get to look inside the operation of a ransomware attacker, however, but thats the opportunity presented by the leak of private internal chat logs from the Black Basta crime group. Heres what threat intelligence analysts are saying.The Black Basta Chat Log Leak Reveals How Ransomware Gangs WorkAlthough it is far from clear as to the motive or process behind the leaking of some 200,000 private messages shared between members of the Black Basta ransomware group on the Matrix messaging platform spanning the 12 months up to Sept. 2024, several theories have been put forward from a disgruntled member to a cyber-vigilante and even covert law enforcement action. What we do know is, as Alexander Martin, U.K. editor at Recorded Future News, notes, several of the crew behind the Black Basta scheme were part of a criminal network that had formerly operated the Conti and Ryuk ransomware brands, as well as the TrickBot banking trojan. A dozen of these people have already been sanctioned by Western law enforcement, Martin said, which is understood to have continued to monitor their activities.Unsurprisingly, threat intelligence agencies have been having a field day with analysis of the chat logs and the results have started to emerge. KELA, for example, has completed a deep-dive into Black Basta and now published its findings. The key takeaway being that when it comes to initial access, the first step in any successful ransomware attack, Black Basta looked to compromised Remote Desktop Protocol, VPNs and security portals primarily. Given the success of infostealer malware in obtaining compromised credentials across platforms and services, its no surprise to learn that this also played a key role. In one attack analyzed by KELA threat intelligence experts, credentials that had been stolen six months prior were used for initial access. Not so much evidence that ransomware groups will play the long game, but rather that infostealer logs are patiently compiled and later sold into the criminal market. KELA described the data as a treasure trove of usernames, passwords, and authentication data for various services. When it came to that particular attack, against a Brazil-based company from the manufacturing and industrial products sector, KELA analysts said that they found 50 compromised credentials apparently from a technical support employee infected by infostealer malware. After the attack, the KELA report warned, the same credentials were shared more than 20 times in various Telegram channels, allowing additional compromise, if the access was not secured following the incident.Phishing And Brute Force Used By Ransomware AttackersOntinues Advanced Threat Operations team has also analyzed the data from the Black Basta leak and found that large-scale phishing campaigns targeting Microsoft services like Office 365 and Azure, were used to intercept login credentials and session cookies, bypassing MFA protections. Credentials from infostealer logs were also used in brute-force attacks against VPN and Firewall products including: Citrix, Checkpoint, SonicWall, Pulse Secure, ScreenConnect, GlobalProtect, Juniper Secure Connect, RDP and RDWeb, the report said.Meanwhile, Saeed Abbasi, a manager at the Qualys Threat Research Unit, has warned that Black Basta operated as a business, albeit a criminal enterprise, and had operations prioritizing strategic partnerships with other ransomware groups to share intel, revenue-based targeting using industry tools to select victims based on available financial data, and even reputation monitoring in cybersecurity reports to see what defenders and competitors thought of their business operation.Understanding the business-like nature of cybercrime is critical for defenders, Abbasi concluded; These actors think strategically, adjust to market conditions, and even deal with internal conflictsjust like any legitimate enterprise. Unless enterprises embrace immediate patching strategies, tighter access controls and rapid incident response protocols, the fight against ransomware could be over before it begins.