Chat

Negotiation chat with different groups

Akira

Avaddon

Avos

Babuk

BlackBasta

BlackMatter

Cloak

Conti

Darkside

Dragonforce

  • 058f4b92-ae99-45c7-bf35-5d2d6754b3de – 19 message(s) voir chat
  • 05f724f8-906e-4739-8177-815852cc2c3f – 29 message(s) voir chat
  • 29BBE03074FDBB8D – 10 message(s) voir chat
  • 7A313D13EB6B4E58 – 32 message(s) voir chat
  • 89716D29D2CEE36F – 23 message(s) voir chat
  • AB0404E049514B50 – 28 message(s) voir chat
  • BD004D632D87DBA0 – 25 message(s) voir chat
  • C2A3C7249797F5ED – 66 message(s) voir chat
  • C42CDF65B97D0E92 – 30 message(s) voir chat
  • C7CD31EAAF9DE9AC – 71 message(s) voir chat
  • C8479B30418B331E – 4 message(s) voir chat
  • D6DDD9B26D7D41DB – 14 message(s) voir chat
  • FDA8141B6DD392E3 – 10 message(s) voir chat
  • b8e14e1a-548f-4eec-bd6e-a590126e57c9 – 14 message(s) voir chat

Hive

Hunters International

Mallox

NoEscape

Pear

Qilin

  • 20240429 – 3 message(s) voir chat
  • 20250203 - from @RakeshKrish12 – 36 message(s) voir chat

REvil

RansomHub

Ranzy

RunSomeWares

fog

lockbit3.0

mount-locker

trinity

Victim 17:14
Hello, we were told to come here
Black Basta 07:51
Hello. Who are you in this company? What is your position?
Victim 12:25
Im an admin. I was assigned to communicate with you.
Black Basta 13:38
Do you need a private chat?
Victim 15:51
This is a private chat. Only I have access to this
Black Basta 15:54
We are Black Basta Group. We are here to inform that your company local network has been hacked and encrypted. We've downloaded over 110GB of a sensitive information and data from your network.
Check your page in our blog. Right now we're keeping it secret. However, if we don't come to an agreement within 10 days, it'll be posted on our news board.
We will let everyone who wants to connect to your network and get all the necessary data from your.
Decryption price is $400,000. In case of successful negotiations we guarantee you will get:

1) Decryptor for all your Windows machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future.

Hope you can correctly assess the risks for your company.
You can find more information about Black Basta Group in Google.
Victim 18:36
Thank you for this information. I will be in touch
Black Basta 19:17
okay
Victim 14:58
you have 110GB of our data? what data is it?
Black Basta 15:49
Wait please, we'll send you the list of your taken data.
Black Basta 16:01
Download file: [redacted].rar
Black Basta 16:02
You can choose any 5 file names from this list and we will send them to you, like a proof.
Victim 14:04
ok thank you we will take a look
Black Basta 14:05
okay
Victim 15:00
does this list represent all of the data you took?
Black Basta 15:08
Yes, this is full list.
Victim 14:14
Here are the files that leadership has requested: Paperless\EMAILS 2020-2022\Congratulations [redacted].msg
Vol4\CL\[redacted]Files\[redacted] - Notice of Substitution.docx
Vol4\CL\[redacted]\[redacted] Plaintiff Expert Materials\[redacted]\Floormat recall.pdf
Vol4\CL\7777\031\[redacted]\[redacted]\footballpressboxlist.pdf
Vol4\USER\[redacted]\XMAS\Christmas 2004\Holiday Name Tags Template2.doc
Black Basta 14:15
Wait please.
Black Basta 14:27
Download file: [redacted].rar
Black Basta 14:27
These are requested files.
Victim 13:41
Ok. We are having internet issues. Everyone is working from different locations. I will give these to leadership to review. No one will be back until Monday. I will write you then
Black Basta 13:43
Understood. Wait you on Monday.
Victim 13:18
How do we know that your decryptor will work for our systems?
Black Basta 14:14
You can send some encrypted files, we decrypt them and send back to you. But these files must be unimportant.
Victim 16:37
Ok, I will have leadership choose some files.
Black Basta 16:53
okay
Victim 14:17
Download file: [redacted].jpg
Victim 14:17
Download file: [redacted].doc
Victim 14:18
Here are two files that leadership chose.
Black Basta 14:21
Wait please.
Black Basta 14:31
Download file: [redacted].jpg
Black Basta 14:31
Download file: [redacted].doc
Victim 14:55
Ok, I will show these to leadership and will be back in touch with you
Black Basta 14:56
We'll in touch.
Victim 13:46
My leadership has a meeting scheduled with the board on Monday afternoon. Before that meeting, is there any cost breaks that you could provide us? This event has had a significant impact on our company.
Black Basta 15:09
10% discount for you and we close the deal.
Victim 13:53
Ok, I will provide this to my leaders and I will be back in touch on Monday afternoon.
Black Basta 15:39
Okay, we'll be in touch.
Victim 20:33
Our leadership wants this to come to an end for both of us so we can get back to normality. They would like to offer $39,250 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please accept this offer so we can move on.
Black Basta 20:36
Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it.
Black Basta 16:36
We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver's license ([redacted] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.
Victim 17:18
What is meager to you, is not to us. Since this event we are struggling to get operational and have experienced tremendous losses. Leadership is prepared to offer $44,990 with all fees included. This would include the decryptor with any assistance we may need with it, proof that all our data has been removed from your systems and deleted with the promise not to ask for any additional money for anything after payment is received, a detailed explanation on how you got into our systems, and the promise to never attack us again. Please consider this offer as we are trying to get our business back operational.
Black Basta 17:43
We are ready to help restore all your systems and files to their original state very quickly, but the minimum amount we can accept is $150k. Less payment is not possible. Therefore, tell your manager if he wants to make a deal, then he look for this amount. If not, then further negotiations are pointless.
Victim 13:27
Leadership is prepared to accept your offer of $150,000 with all fees included. This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again. Please send us your bitcoin wallet ID so we can proceed with payment.
Black Basta 14:06
Okay. We confirm all points. Our BTC wallet is [redacted]
Victim 18:49
Ok. This may take some time, but please confirm when you receive payment. I will write you when it is sent.
Black Basta 19:04
Okay.
Black Basta 16:58
Any updates?
Victim 18:51
payment was made. Can you confirm please
Black Basta 18:54
Yes, we see the transaction, but it hasn't been confirmed yet. Please wait.
Black Basta 19:06
Payment received.
Black Basta 19:06
Your data is wiping.
Victim 19:07
Thank you. I will stand by for all the agreed upon deliverables.
Black Basta 19:40
This is log of deletion ALL your taken data
Download: https://qaz.im/load/[redacted]
Delete: https://qaz.im/index.php?a=delete&q=[redacted]
Black Basta 23:44
Download file: [redacted].ex
Black Basta 23:44
How to decrypt windows?
1. Drop executable to any folder.
2. Start new terminal session with administrator rights. (run cmd.exe or powershell.exe with admin rights)
3.1. In cmd.exe type full path to the executable file and press Enter.
3.2. In powershell.exe type: "& c:\full\path\to\executable.exe" without quotes and press Enter.

OR

1. Drop file.
2. Click right mouse button on the file and press run as admin.


(!) IMPORTANT, READ ALL BEFORE DECRYPTION PROCESS
1. Yoy can decrypt only 1 folder (test decrypt for example)
decrypt.exe -forcepath c:\users\1\Desktop\folder
2. DO NOT CLOSE decryptor yourself
3. MAKE BACKUPS of important files what you will decrypt, then you can rerun decryptor if something happens
4. You can decrypt partially encrypted files:
4.1. Make backup
4.2. Add encrypted extension (random for every company, you can ask in chat) to file
4.3. Run decryptor to folder what contains file
4.4. Now you can test file
5. Every decryption process saves file in same location with name of decrypted file with extension .kbckp. In this file you can find individual chacha keys for better recovery experience.
6. You can ask in chat about ECC keys (used to encrypt chacha keys) for your company.
7. Make sure you have at least 10 gb of free space on each disk.
8. To choose folder on linux decrypt.linux -forcepath /path
Black Basta 03:02
Security report and recommendation:
Your network has been compromised by mailing of messages to the emails with malicious attachments.
One of the users launched malware.
To avoid this in the future, give you recommendations of network protection:
1. Use sandbox to analyze the contents of letters and their attachments.
2. Use the password security policies
3. Make protection from attack like a Pass-the-Hash and Pass-the-ticket attack
4. Update all OS and software to the latest versions, especially Microsoft Defender Antivirus.
5. Implement the hardware firewalls with filtering policies, modern DLP and IDS, SIEM systems.
6. Block kerberoasting attacks
7. Conduct full penetrations tests and audit
8. Use and update Anti-virus/anti-malware and malicious traffic detection software
9. Configure group policies, disable the default administrators accounts, create new accounts.
10. Backups. You must have offline backups, does not have access to the network.

Auteur/autrice

sdgadmin@tux.ovh