The Untold Stories of Bassterlord’s Manuals

Carlos Borges

The presentation outlines the criminal career of the underground actor Bassterlord, who having been engaged in cybercrime since at least 2017, went on to become a notorious ransomware operator associated with several ransomware-as-a-service (RaaS) groups. On 20, Feb. 2024, following a law enforcement operation impacting the LockBit RaaS, the actor was sanctioned by the U.S. Department of Justice (DoJ) and their identity revealed. We take the audience back to an important moment in the actor's career that culminated in the creation of two meticulously crafted manuals aimed at indoctrinating novices into the realm of ransomware. We walk the audience through a timeline of relevant events that help to understand the creation process of both manuals with some special details of a tutorial precursor video the actor recorded while breaching a company and posted in a Russian-speaking underground forum. We end disclosing additional personas the actor likely operated, links with high-tier ransomware operators who either tutored or supported Bassterlord with the development of the manuals and a summary of the TTPs presented in the manuals, to elucidate the typical modus operandi of a ransomware attack from the point of view of a real ransomware operator.