Black Basta's Leaked Chats Reveal How Ransomware Gangs Actually Get In

Written by T.O. Mercer
Security Engineer | M.S. Information Systems | KCSA Certified | 10+ years DevSecOps at Fortune 500 companies

They're not hacking your firewall. They're buying your reused Netflix password for $10.

Key Takeaways

  • Black Basta buys stolen credentials for $10-$200 rather than "hacking" firewalls
  • Infostealers harvest every browser-saved password in milliseconds
  • Time-to-Attack: One infected laptop led to a full ransomware deployment in just 6 months
  • The Scale: 94% of passwords in modern breach databases are reused
  • The Fix: Hardware-based MFA, password managers, and credential monitoring are the only reliable defenses

In February 2025, someone leaked 200,000 internal chat messages from the Black Basta ransomware gang. Security researchers have been picking through the wreckage ever since.

What they found should change how you think about cybersecurity.

Black Basta isn't some sophisticated hacking operation breaking through firewalls with zero-day exploits. They're running a business. And their primary supplier? Infostealer malware logs sold on criminal marketplaces for the price of a sandwich.

The $10 Attack Vector

The entry point isn't a vulnerability in your code. It's a vulnerability in human behavior.

The Infostealers: LummaC2 and Meduza

LummaC2 and Meduza are the workhorses of the credential theft economy. These are Malware-as-a-Service (MaaS) tools that specialize in one thing: browser exfiltration.

When a user accidentally executes a payload (often disguised as a software crack or a fake "browser update") the infostealer targets the Chrome Login Data file.

Using the localized encryption key from the Local State file, it pulls every:

  • Saved username and password
  • Session cookie (allowing for MFA bypass)
  • Autofill credit card number
  • Crypto wallet browser extension data

The resulting "log" is then uploaded to a command-and-control server and listed on marketplaces like Russian Market or 2Easy, where Black Basta operators buy them for the price of a sandwich.

Black Basta operators then search these logs for something specific: credentials to corporate VPNs, RDWeb portals, Citrix gateways, or GlobalProtect instances. When they find a match, they don't hack anything. They just log in.

KELA's analysis of the leaked chats found roughly 3,000 unique credentials to sensitive resources being discussed. Cross-referencing these with their own threat intelligence confirmed what everyone suspected: these credentials came directly from infostealer logs.

A Real Attack, Start to Finish

The leaked chats gave researchers a front-row seat to an actual attack on a Brazilian software company. Here's the timeline:

March 2023: A technical support employee's machine gets infected with infostealer malware. The malware harvests their RDWeb login credentials along with 50+ other passwords.

March 2023: Those credentials appear in an infostealer log on a criminal marketplace. Nobody at the company knows.

October 16, 2023: Black Basta operators share the RDWeb login credentials in their internal chat. They purchased them from the log.

October 18, 2023: Attackers use the credentials to access the company's network.

October 20, 2023: Two days later, data is exfiltrated and ransomware is deployed. The company is publicly extorted.

Six months from infection to attack. Two days from initial access to ransom demand.

The scariest part? That same infostealer log contained credentials belonging to the company's clients. One infected laptop created a supply chain of potential victims.

What the Chats Reveal About Target Selection

Ransomware gangs don't pick targets the way most people assume.

They're not sitting in a room saying "let's go after Company X." They're shopping. They browse massive collections of stolen credentials, filter for ones that look like corporate access, then research which companies might actually pay.

The Black Basta chats show operators using ZoomInfo to profile victims after they've already found valid credentials. They're checking company revenue, employee count, and industry to figure out how much ransom to demand.

This is backwards from what security teams typically prepare for. The targeting happens after the compromise, not before.

The Tools of the Trade

The leaked chats reference a surprisingly familiar toolkit:

For reconnaissance:

  • Shodan
  • Fofa
  • ZoomInfo

For exploitation:

  • Metasploit
  • Cobalt Strike
  • Core Impact

For credential harvesting:

  • LummaC2
  • Meduza stealer
  • Custom infostealer integrations built into their panel

The chats also reveal discussions about buying zero-day exploits when credentials weren't available. But that appears to be the backup plan, not the primary attack vector.

Why bother with expensive zero-days when $10 credentials work just as well?

The Password Reuse Problem (With Numbers)

I've been analyzing password security data for a while now. Earlier this year, I published research based on 50,000+ breached passwords that reached 355,000+ views on Reddit's r/cybersecurity.

The Black Basta leaks confirm what that research showed: password reuse is the actual vulnerability being exploited at scale.

When I analyzed the broader data for my State of Password Security 2025 report, the numbers were grim:

  • 94% of passwords in a 19-billion password dataset were reused or duplicated (Cybernews, 2025)
  • Only 6% of passwords were unique
  • 54% of ransomware victims had credentials exposed in infostealer logs before the attack (Verizon DBIR, 2025)
  • 46% of compromised systems with corporate credentials were non-managed devices (personal laptops, BYOD)

That last stat matters. Your corporate password policy is irrelevant if an employee uses the same password on their personal laptop, that laptop gets infected, and the credential ends up in a log.

Why Traditional Security Doesn't Stop This

Most enterprise security focuses on keeping attackers out. Firewalls. Intrusion detection. Endpoint protection.

None of that helps when the attacker has valid credentials.

From the network's perspective, a Black Basta operator logging in with stolen creds looks identical to the actual employee. Same username. Same password. Probably even the same geographic region if they're using a VPN exit node nearby.

The only defenses that actually work against this attack:

1. MFA that isn't bypassable. SMS codes get SIM-swapped. Push notifications get fatigue-attacked. Hardware keys and passkeys are significantly harder to defeat. The Snowflake breach happened specifically because MFA wasn't mandatory.

2. Credential monitoring. If you're not checking whether employee credentials have appeared in infostealer logs, you're flying blind. Services like SpyCloud, KELA, and even HaveIBeenPwned exist for this reason.

3. Unique passwords everywhere. Password managers aren't optional anymore. If an employee can't have a unique 16+ character password for every service, they will reuse passwords. It's not a character flaw; it's just how human memory works.

4. Managed devices only for corporate access. The 46% stat about non-managed devices should terrify any IT team. If you allow BYOD access to corporate systems, you're accepting that unmanaged endpoint security is your security.

The Uncomfortable Truth

We spend $180 billion annually on cybersecurity. Yet the number one way ransomware gangs get into corporate networks is by purchasing credentials that employees reused across personal and work accounts.

The Black Basta leaks didn't reveal some sophisticated new attack technique. They revealed that the boring stuff (password hygiene, MFA, credential monitoring) is what actually matters.

Your fancy next-gen firewall isn't stopping someone who's logging in with real credentials they bought for $10.

This article is based on data from the State of Password Security 2025 report, which analyzes findings from Verizon's DBIR, IBM's Cost of a Data Breach report, Cybernews, and original research on 50,000+ breached passwords.

Sources