Black Basta Ransomware Gang Exposed: Internal Chat Logs Leak Online

Leaked Chat Logs Expose Internal Conflict and Operations

An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation. The leaked information sheds light on the gang’s internal operations, conflicts, and possible motivations behind their cybercriminal activities.

ExploitWhispers, the individual who uploaded the stolen messages on the MEGA file-sharing platform, has since removed the data and re-uploaded it to a dedicated Telegram channel. The identity of ExploitWhispers remains unknown, but speculation suggests they could either be a security researcher who gained access to Black Basta's internal chat server or a disgruntled member seeking revenge.

While no explicit reason was provided for the leak, cybersecurity firm PRODAFT suggested that it might have been triggered by the ransomware gang’s alleged attacks on Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT stated.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

Insights from the Leaked Chat Logs

The leaked archive reportedly contains messages exchanged in Black Basta's internal chat rooms between September 18, 2023, and September 28, 2024. This period covers over a year of communication among the ransomware gang’s members, offering an unprecedented look into their discussions, tactics, and potential targets.

Additionally, the leaked chats include 367 unique ZoomInfo links, which likely indicate the number of companies targeted during this period. Ransomware gangs commonly use the ZoomInfo site to gather intelligence on potential victims, including their financials, key personnel, and vulnerabilities. These links provide insight into the scale and scope of Black Basta’s cybercriminal operations.

Beyond exposing potential targets, the leak also revealed the identities of several key figures within the organization:

Lapa – One of the operation’s administrators.

Cortes – A threat actor linked to the infamous Qakbot group.

YY – Black Basta's main administrator.

Trump (aka GG and AA, Oleg Nefedov) – The gang’s leader.

The exposure of these members raises concerns about potential law enforcement actions against the gang, as authorities might leverage this intelligence to track down and dismantle their operations.

Who is Black Basta?

The Black Basta Ransomware-as-a-Service (RaaS) operation emerged in April 2022 and has since become one of the most notorious ransomware groups globally. They have claimed responsibility for attacks on various high-profile victims, including companies in healthcare, defense, technology, and government contracting.

• Some of their notable victims include:
• German defense contractor Rheinmetall
• Hyundai's European division
• BT Group (formerly British Telecom)
• U.S. healthcare giant Ascension
• Government contractor ABB
• The American Dental Association
• U.K. tech outsourcing firm Capita
• Toronto Public Library
• Yellow Pages Canada

The scale of Black Basta’s attacks has prompted increased scrutiny from global law enforcement agencies. In a joint report issued in May 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that Black Basta affiliates had breached over 500 organizations worldwide between April 2022 and May 2024.

Black Basta’s Financial Success and Ransom Strategies

Black Basta operates on a RaaS model, meaning they provide ransomware tools and infrastructure to affiliates who then carry out attacks in exchange for a share of the ransom payments. According to joint research by Corvus Insurance and Elliptic, the gang has collected an estimated $100 million in ransom payments from over 90 victims as of November 2023.

One of the main tactics employed by Black Basta involves double extortion—encrypting victim data and threatening to publish stolen information unless a ransom is paid. This strategy has proven highly effective, pressuring companies to comply with ransom demands to avoid reputational damage and regulatory fines.

Parallels to the Conti Ransomware Leak

This recent Black Basta leak bears striking similarities to a major cybersecurity event from 2022. In February of that year, a Ukrainian security researcher leaked over 170,000 internal chat conversations and the source code for the Conti ransomware encryptor. The leak occurred after the Russian-based Conti cybercrime syndicate publicly supported Russia following its invasion of Ukraine.

The Conti leaks were a major blow to the cybercriminal organization, leading to internal chaos and the eventual dissolution of the group. Many former Conti members were later linked to other ransomware gangs, including Black Basta, raising questions about whether history might repeat itself.

Potential Consequences of the Leak

• The publication of Black Basta’s internal communications could have significant implications for the ransomware gang. Potential consequences include:
• Increased Law Enforcement Pressure – Authorities may use the leaked chat logs to identify and track key members, leading to arrests and legal actions.
• Distrust Within the Organization – Internal conflicts and paranoia may escalate, causing further disorganization and potential defections.
• Exposure of Victim and Negotiation Tactics – Companies and cybersecurity professionals can study the leaked logs to better understand the gang’s negotiation strategies and improve their defensive measures.
• Reputation Damage – The leak may discourage other cybercriminals from partnering with Black Basta, fearing similar betrayals or security risks.

Final Thoughts

The leak of Black Basta’s internal chat logs is a major development in the ongoing battle against ransomware. While it remains uncertain whether this will lead to the group’s downfall, it undoubtedly weakens their operations and provides law enforcement and cybersecurity researchers with valuable intelligence.

As ransomware gangs continue to evolve and adapt, this incident serves as a reminder that even the most sophisticated cybercriminal organizations are not immune to internal strife and exposure. Whether this marks the beginning of the end for Black Basta or simply another chapter in the ongoing ransomware war remains to be seen.