Introduction
On February 11, 2025 [2] [4] [5] [8], a significant leak of internal communications from the BlackBasta ransomware gang was made public [5]. This leak [1] [2] [3] [4] [5] [7] [8] [9] [10], attributed to an individual known as ExploitWhispers [2] [6] [8] [9], provides a comprehensive insight into the gang’s strategies, internal conflicts [1] [2] [3] [5] [7] [8] [10], and operations over nearly a year. The revelations have significant implications for cybersecurity, highlighting the gang’s sophisticated methods and the challenges faced by organizations in defending against such threats.
Description
Internal communications from the BlackBasta ransomware gang were leaked online on February 11, 2025 [2], revealing the group’s strategies [1] [5], internal conflicts [1] [2] [3] [5] [7] [8] [10], and operations [1] [2] [3] [5] [7] [8] [10]. This significant leak [3] [5], attributed to an individual known as ExploitWhispers [2] [6] [8] [9], includes nearly a year’s worth of messages exchanged on the Matrix chat platform in Russian, covering a period from September 18, 2023 [6] [7], to September 28, 2024 [1] [2] [3] [4] [5] [6] [7] [8] [10]. Initially available on the file-sharing site MEGA [6], the logs are now accessible via a dedicated Telegram channel [6]. The legitimacy of the leaks has been supported by several threat intelligence sources [6], with Prodaft noting that they contain valuable information for threat analysis [6].
BlackBasta [1] [5] [6] [8] [10], a ransomware strain first detected in April 2022 [6], is believed to be a merger of the defunct Conti and REvil groups [6]. The logs reveal the identities of key members [3], including “YY” (the main administrator), “Cortes” (a Qakbot-linked actor), “Lapa” (an admin), and “Oleg Nefedov,” also known by aliases “GG” and “AA,” who has faced criticism for prioritizing personal gain over the group’s interests and for risky decisions, including targeting Russian banks [1] [5] [8]. Notably, one member claimed to be 17 years old [8], highlighting the diverse demographics within the group [8]. The communications indicate escalating tensions within the group [10], particularly following Nefedov’s arrest [10], which has raised concerns about exposure to law enforcement and led to disagreements over targeting Russian financial institutions. Complaints about unpaid wages and growing discord have also been prevalent, contributing to the gang’s decline.
The logs detail the gang’s operations, including discussions about exploiting vulnerabilities in Citrix remote access products and software from Ivanti [3], Palo Alto Networks [3], and Fortinet [3] [8]. They document various exploits and phishing campaigns that utilized fabricated IT support lures to deploy tools like Cobalt Strike and SystemBC [8]. The gang typically initiates attacks through phishing emails with malicious links [1], often using password-protected zip files that install the Qakbot banking trojan [1], which creates a backdoor and deploys SystemBC for encrypted connections to command and control servers [1]. Once inside a network [1], BlackBasta employs Cobalt Strike for reconnaissance and additional tool deployment [1], while using legitimate remote access software to maintain persistence and disable security systems [1]. For data theft [1], they utilize tools like Mimikatz and Rclone [1], encrypting files with the “.basta” extension as part of a double extortion strategy [1]. Victims are given a 10-12 day window to contact the group before potential data leaks occur [1].
The logs also provide insights into the relationships between key threat actors [6], the group’s access to internal networks [6], and other significant operational details [6]. They contain over 367 unique links to company information from ZoomInfo [3], indicating the extent of the gang’s research on targeted organizations [3], which hackers often utilize during negotiations [7]. Notable unreported targets mentioned include the failed US automotive company Fisker [3], health tech provider Cerner Corp [3], and other significant organizations such as Rheinmetall (Germany), Hyundai (Europe) [2] [5], BT Group (UK) [2], Ascension (USA) [2], ABB (USA) [2], Capita (UK) [2], Toronto Public Library (Canada) [2], and Yellow Pages Canada [2]. The group often tailors ransom demands based on estimated victims’ revenue, employing business jargon to exert pressure during negotiations [8]. The leak coincides with reported internal conflicts within the group [3], particularly regarding failures to provide functional decryption tools to victims after ransom payments [3]. Concerns about investigations by Russian authorities and the US government are also evident [3], particularly following the breach of Ascension’s systems and the UK utility company Southern Water. At the time of the leak [3], the gang’s dark web leak site [3], used for extorting victims [3], was offline [3]. The source of the leak and the identity of ExploitWhispers remain unknown [6].
Security firm Hudson Rock has utilized the chat transcripts to develop a resource called BlackBastaGPT [10], an AI-powered chatbot that allows researchers to query the dataset for insights into the gang’s operations [8], such as their initial access vectors and ransom demand calculations [8]. This represents a significant advancement in utilizing adversarial data for proactive defense [8], transforming raw chat logs into actionable intelligence to help organizations anticipate attack patterns [8]. Analysts caution that the leaked tactics [8], techniques [1] [8] [9], and procedures (TTPs) could be adopted by rival gangs or splinter groups [8], emphasizing the need for proactive defense measures [8]. Recommendations include strengthening remote access systems [8], enforcing multi-factor authentication [8], and monitoring for indicators of compromise like AntispamConnectUS.exe [8], a proxy malware variant used in attacks [8]. The leak corroborates warnings from the FBI and CISA regarding BlackBasta’s involvement in over 500 breaches and approximately $100 million in ransom payments collected from over 90 victims as of November 2023. This incident parallels the February 2022 Conti ransomware leak [4], which involved the release of over 170,000 internal chat conversations and source code [4].
The dataset also contains valuable Indicators of Compromise (IOCs) [9], such as IP addresses [9], domains [9], stolen credentials [7] [9], and malware hashes [9], which can aid organizations in enhancing their security measures [9]. The revelations from the leak emphasize the sophistication and profitability of ransomware operations [9], showcasing methods like social engineering [9], advanced VPN exploits [9], and the use of botnets and antivirus evasion techniques [9]. Organizations are urged to adopt a multi-layered defense strategy [9], including vigilant patch management [9], strong authentication protocols [9], comprehensive EDR/XDR solutions [9], and well-rehearsed incident response plans to combat the evolving ransomware threat [9].
Conclusion
The leak of BlackBasta’s internal communications underscores the ongoing threat posed by sophisticated ransomware groups. It highlights the need for organizations to adopt robust cybersecurity measures, including multi-layered defense strategies and proactive threat intelligence utilization. As adversaries continue to evolve, leveraging leaked data for defensive purposes can provide a strategic advantage, helping to anticipate and mitigate future attacks. The incident serves as a reminder of the importance of vigilance and preparedness in the face of an ever-evolving cyber threat landscape.
References
[1] https://www.techspot.com/news/106884-black-basta-ransomware-group-secrets-exposed-massive-leak.html
[2] https://news.lavx.hu/article/black-basta-ransomware-internal-chats-exposed-a-deep-dive-into-cybercrime-dynamics
[3] https://techcrunch.com/2025/02/21/a-huge-trove-of-leaked-black-basta-chat-logs-expose-the-ransomware-gangs-key-members-and-victims/
[4] https://dailysecurityreview.com/security-spotlight/black-basta-ransomware-data-leak-exposes-internal-communications-and-targets/
[5] https://cyberinsider.com/black-basta-ransomware-chats-leaked-exposing-internal-chaos/
[6] https://www.infosecurity-magazine.com/news/blackbasta-ransomware-chatlogs/
[7] https://www.techzine.eu/news/security/128943/internal-chat-logs-of-black-basta-ransomware-gang-leaked/
[8] https://cybersecuritynews.com/blackbastagpt-chatgpt-powered-tool/
[9] https://www.securityblue.team/blog/posts/ransomware-gang-black-basta-leaked-chat-logs
[10] https://arstechnica.com/security/2025/02/leaked-chat-logs-expose-inner-workings-of-secretive-ransomware-group/
