Black Basta Operators Suspected of Pivoting to Cactus Ransomware Following Leaked Chats

Signs of Black Basta's continuing fallout could be evident with indications that its operators are shifting to the Cactus ransomware group, following leaked chat logs that suggest internal disputes within Black Basta. This connection, reported by Trend Micro, suggests a potential link between the Black Basta and Cactus ransomware groups, as their analysis has identified various overlaps in tactics, techniques, and procedures (TTPs). These include the use of the BackConnect malware, Qakbot (aka. Qbot), and Zloader malware deployments, and a shared social engineering approach. This approach involves actors fabricating IT issues by overwhelming targets with email floods before impersonating IT support via Microsoft Teams, coercing victims into installing remote access software. Additionally, both groups have leveraged overlapping command-and-control (C2) infrastructure, reinforcing the assessment that former Black Basta members have transitioned to Cactus. Black Basta's prominence in the threat landscape could amplify Cactus's potential. Since October 2024, Black Basta operations have primarily targeted North America, accounting for 21 attacks, followed by Europe with 18 incidents. The most targeted industry has been manufacturing, with 11 attacks, followed by sectors in real estate, construction, financial services, food, retail, technology, utilities, consulting, professional services, and transportation.

Comparing the shared TTPs between Black Basta and Cactus, there are signs of both overlap and expansion. Trend Micro asserts that "The attack chains' methods might not be technically groundbreaking, but how they layer social engineering with the abuse of legitimate tools and cloud-based infrastructure enables them to blend malicious activity into normal enterprise workflows." The Black Basta attack chain begins with a social engineering campaign involving email flooding, followed by direct communication through Microsoft Teams, where attackers pose as IT support. To gain remote access, the threat actors coerce the execution of Quick Assist, which is confirmed from Windows prefetch entries. Once access is secured, attackers proceed to drop payloads starting with “.bpx” payloads, using command-line tools to concatenate them into a zip file. The zip archive is extracted using “expand.exe,” dropping DLL files and “OneDriveStandaloneUpdater.exe” in the "C:\Users\<user>\AppData\Local\Microsoft" directory. The DLL, “winhttp.dll,” is sideloaded by “OneDriveStandaloneUpdater.exe” to establish persistence. Attackers also modify the registry using the "reg add" command to store BackConnect IPs, which are tied to C2 infrastructure known to be associated with Black Basta.

The Cactus ransomware attack chain builds upon the tactics used by Black Basta, expanding its capabilities during lateral movement, persistence, and data exfiltration. Like Black Basta, Cactus operators use social engineering to manipulate victims into installing remote access software. Once inside, the attackers deploy payloads similar to Black Basta, including “.bpx” and “.cab” files, which extract DLLs and executables. Registry modifications store BackConnect IPs, and shared C2 infrastructure further reinforces the connection between the two groups. Cactus has expanded its attack chain by incorporating additional lateral movement techniques, including “OneDriveStandaloneUpdater.exe” targeting port 135 and leveraging SMB and WinRM for remote command execution. Persistence mechanisms have been enforced through the creation of scheduled tasks along with registry modifications. Notably, Cactus ransomware operations have been observed compromising ESXi hosts, disabling firewalls, and exfiltrating data using WinSCP to a recently registered domain created on January 11, 2025.

Leaked chat logs from Black Basta, published on February 11, 2025, suggest internal conflict within the group, potentially leading to defections to Cactus. The leaks, covering communications between September 2023 and September 2024, reveal Black Basta's operational details, including phishing templates, cryptocurrency transactions, and credentials of targeted victims. Internal disagreements and evidence of targeting Russian financial institutions have fueled speculation about the group's instability. Given the TTP overlaps and the known transition of some Black Basta members to Cactus, Trend Micro assesses that Cactus will continue to operate with an experienced team while Black Basta's future remains uncertain. The leaks could lead to the group's dissolution, similar to what happened with Conti following its internal leaks.

Trend Micro recommends organizations take proactive steps to mitigate the risk posed by these ransomware groups. Restricting remote assistance tools, such as Quick Assist, and implementing strict approval processes for remote access can limit the effectiveness of social engineering tactics. Regular employee training on phishing scams and IT impersonation threats is essential to reducing the likelihood of successful intrusions and increasing awareness of current engagement techniques. It is also crucial to focus on the abuse of legitimate tools and cloud-based infrastructure to identify and mitigate threats before ransomware deployment.