Black Basta Chat Logs Leaked: Ransomware Gang Exposed

Black Basta Ransomware Group Chat Logs Leaked

A substantial collection of chat logs, purportedly originating from the Black Basta ransomware group, has been released online.

This data breach reveals the identities of prominent individuals associated with the highly active, Russia-affiliated criminal organization.

Details of the Leak

The leaked conversations encompass over 200,000 messages exchanged between September 18, 2023, and September 28, 2024.

A source provided these logs to the threat intelligence firm Prodaft. The firm attributes the leak to an internal dispute within Black Basta.

Allegedly, certain members of the group did not deliver working decryption tools to victims even after ransom payments were received.

The Leaker's Identity

The individual responsible for the leak operates under the pseudonym “ExploitWhispers” on Telegram.

It remains unconfirmed whether “ExploitWhispers” was previously a member of the Black Basta operation.

Black Basta's Activities and Targets

Black Basta is a well-known ransomware group operating primarily in the Russian language.

U.S. authorities have connected the group to numerous attacks targeting vital infrastructure and businesses worldwide.

Notable victims include the U.S. healthcare provider Ascension, the U.K.’s Southern Water, and the British firm Capita.

The released chat logs offer unprecedented insight into the group’s internal workings and previously undisclosed targets.

Motivation Behind the Leak

According to a Prodaft post on X (formerly Twitter), the leaker stated that the hackers “crossed a line” by attacking Russian financial institutions.

The leaker expressed a commitment to exposing the truth and monitoring Black Basta’s future actions.

“We are dedicated to uncovering the truth and investigating Black Basta’s next steps,” the leaker communicated.

Individuals Targeted, Methods Employed, and a Juvenile Hacker

Prodaft provided TechCrunch with access to the hackers’ communication records, revealing specifics concerning prominent figures within the ransomware operation.

Key individuals identified include “YY,” functioning as Black Basta’s primary administrator, “Lapa,” another leading figure, “Cortes,” a hacker with ties to the Qakbot botnet, and “Trump,” also recognized as “AA” and “GG.”

The alias “Trump” is strongly suspected to belong to Oleg Nefedovaka, whom Prodaft researchers designate as “the group’s principal leader.” These researchers have connected Nefedovaka to the now-inactive Conti ransomware group, which ceased operations after its internal communications were exposed following the organization’s declaration of support for Russia’s invasion of Ukraine in 2022.

The disclosed Black Basta chat logs also indicate that one participant is only 17 years of age, as reviewed by TechCrunch.

Analysis of the leaked conversations reveals 380 distinct links to company data sourced from ZoomInfo, a data brokerage firm specializing in the collection and sale of business and employee information. These links demonstrate how the hackers utilized this resource to profile their intended targets, and provide an indication of the scale of organizations targeted over a year-long period.

The chat logs offer unprecedented insight into the group’s operational procedures. Included are details regarding Black Basta’s victims, examples of phishing templates utilized in their attacks, specific exploits employed by the gang, cryptocurrency addresses linked to ransom payments, and information concerning ransom negotiations with compromised organizations.

We also discovered discussions among the hackers regarding a TechCrunch report on continuing Qakbot activity, despite a prior FBI operation intended to dismantle the botnet.

TechCrunch’s review of the chat logs also uncovered several previously unmentioned targeted organizations. These include Fisker, a defunct U.S. automotive manufacturer; Cerner Corp., a health technology company now under Oracle’s ownership; and Hotelplan, a travel company based in the U.K. It remains uncertain whether these companies experienced breaches, and none responded to TechCrunch’s requests for comment.

The chat logs suggest the gang actively sought to exploit security flaws in enterprise network devices, such as routers and firewalls that serve as a company’s initial line of defense.

The hackers highlighted their capability to leverage vulnerabilities within Citrix remote access products to infiltrate at least two corporate networks. They also discussed exploiting weaknesses in software developed by Ivanti, Palo Alto Networks, and Fortinet to execute cyberattacks.

Conversations between Black Basta members also reveal concerns about potential investigations by Russian authorities, driven by geopolitical factors. Despite Russia historically providing a safe haven for ransomware groups, Black Basta also expressed apprehension regarding actions initiated by the U.S. government.

Messages following the breach of Ascension’s systems cautioned that the FBI and CISA were “fully obligated” to intervene, potentially leading to a “firm response” towards Black Basta.

At the time of this report, Black Basta’s dark web leak site, used to publicly pressure victims into paying ransoms, was inaccessible.