Flipping the Script: Threat Intelligence Mining of Ransomware Chat Leaks

Frequently, threat intelligence teams are relegated to consuming threat intelligence, whether it be via paid indicator feeds, cybersecurity company write-ups, or social media posts. While this data is critical for day-to-day cyber operations, threat intelligence analysts should ultimately strive to produce quality, original, and actionable threat intelligence themselves. With the recent Conti and BlackBasta ransomware chat leaks, threat intelligence teams have been gifted a treasure trove of data containing valuable insights into ransomware operations, the advanced TTPs deployed during network intrusions, and rare visibility into the “humans behind the keyboard.” Aimed at threat intelligence analysts as well as cybersecurity operations teams, this talk will use sample data from the recent BlackBasta chat leak to show how teams can triage indicators of compromise for quick tactical wins (without having to wait for security vendor feeds/write-ups), identify strategic and operational patterns, and incorporate these new intelligence insights into an organization’s threat model. Attendees will walk away with a strategy for processing mined data from ransomware chat logs, actioning these findings into future threat hunting scenarios/detection engineering opportunities, and options for sharing this newly produced intelligence with the broader threat intelligence community.