Black Basta, a notorious ransomware group, has become the latest criminal organization to face the fallout of leaked internal chat logs. These logs, which span from September 2023 to September 2024, were leaked by an individual under the handle ExploitWhispers. Unlike previous leaks, such as those involving Conti and its Ukrainian affiliate, this leak was allegedly triggered by Black Basta’s targeting of domestic Russian banks. The release of nearly 200,000 Russian-language messages has provided an unprecedented look into the group’s inner workings, potentially exposing the identities of individuals behind the criminal enterprise.
The chat logs reveal not only technical discussions about the group’s operations but also clues about the structure of the organization. Members of the Black Basta group, including former operators of the Conti and Ryuk ransomware families, discussed their roles in executing attacks, testing methods, and debugging technical issues. These messages also disclosed sensitive information such as login credentials and even attempts to sell hacking tools like modified versions of Cobalt Strike. The leak sheds light on how the gang operates and their strategic decisions, including a script to avoid attacking certain companies based on size or recent financial losses.
Additionally, the logs provide insight into the internal conflicts that have affected the group’s activities in recent months.
Black Basta has reportedly been largely inactive since the beginning of 2024 due to disagreements among its operators. Some of these operators have been accused of scamming victims by collecting ransom payments without delivering functional decryption tools. Despite these internal issues, the leak has allowed law enforcement and cybersecurity researchers to gain valuable intelligence, including the identification of potential targets that were previously compromised, particularly in the UK and the Netherlands.
The leak of these chat logs highlights the growing trend of ransomware groups being exposed due to the actions of insiders or external parties. Researchers continue to examine the materials, with some using advanced tools to query the data for further insights. The revelations provide critical information that could lead to law enforcement interventions, especially since many members of Black Basta have been sanctioned by Western governments. The breach has left the group vulnerable, while also increasing scrutiny on the cybersecurity practices of the organizations that have been targeted.
Reference:
