Black Basta Ransomware Attack Edge Network Devices With Automated Brute Force Attacks

A Russian-speaking actor using the Telegram handle @ExploitWhispers leaked internal chat logs of Black Basta Ransomware-as-a-Service (RaaS) members on February 11, 2025.

These communications, spanning from September 2023 to September 2024, have provided security researchers with unprecedented insight into the group’s operational tactics and infrastructure used to target organizations across multiple sectors.

Black Basta, which emerged in April 2022, has established itself as a sophisticated financially motivated cybercrime operation using double extortion tactics.

The group has demonstrated a strategic focus on high-value targets where downtime creates significant financial and operational impact, with Business Services (33 incidents), Industrial Machinery (14), and Manufacturing (6) being their most frequently targeted sectors.

Analysts at EclecticIQ identified a previously unknown brute forcing framework that Black Basta RaaS members have used since 2023.

This offensive framework, named “BRUTED” based on its log naming conventions, performs automated internet scanning and credential stuffing against edge network devices, including widely used firewalls and VPN solutions in corporate networks.

According to the leaked communications, Black Basta operated multiple servers dedicated to brute-force attacks, including 45.140.17.40, 45.140.17.24, and 45.140.17.23, all registered under Proton66 (AS 198953) and located in Russia.

These strategic choices were likely intended to evade Western law enforcement scrutiny while conducting their malicious activities.

The analysis of the BRUTED framework revealed sophisticated capabilities targeting various remote-access and VPN solutions including SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler, Microsoft RDWeb, and WatchGuard SSL VPN.

The source code of BRUTED revealing its version and main C2 servers for communication.

Technical Details of the BRUTED Framework

The framework utilizes multiple advanced techniques to maximize its effectiveness.

It employs proxy rotation using a large list of SOCKS5 proxies from the domain fuck-you-usa.com to hide the attacker’s server IP while performing a high volume of brute forcing requests.

The framework also automates subdomain enumeration by prepending known prefixes (vpn, remote, mail, etc.) to base domains to discover potential targets.

One particularly clever technique employed by BRUTED is extracting common names (CN) and Subject Alternative Names (SAN) from a target’s SSL certificate to generate additional password guesses.

A successful brute forcing attack might yield results like “Found valid credentials” for “0ffice2023!” on a SonicWALL device.

After gaining initial access through compromised edge devices, Black Basta actors follow a structured attack chain deploying post-exploitation frameworks like Cobalt Strike or Brute Ratel to establish command-and-control channels, extract credentials, and ultimately deploy ransomware payloads that encrypt network shares, virtualized environments, and cloud storage.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.