A trove of chat logs allegedly belonging to the Black Basta ransomware group has leaked online, exposing key members of the prolific Russia-linked gang.
The chatlogs, which include over 200,000 messages spanning from September 18, 2023, to September 28, 2024, were shared with threat intelligence company Prodaft by a leaker. The cybersecurity firm says the leak comes amid “internal conflict” within the Black Basta group after some members allegedly failed to provide its victims with functional decryption tools despite paying a ransom demand.
It’s not yet known if the leaker, who uses the alias “ExploitWhispers” on Telegram, was a member of the Black Basta gang.
Black Basta is a prolific Russian-language ransomware gang, which the U.S. government has linked to hundreds of attacks on critical infrastructure and global businesses, whose publicly known victims include U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs give a never-before-seen look inside the ransomware gang, including some of its unreported targets.
According to a post on X by Prodaft, the leaker said that the hackers “crossed the line” by targeting Russian domestic banks.
“So we are dedicated to uncovering the truth and investigating Black Basta’s next steps,” the leaker wrote.
Targeted victims, exploits, and a teenage hacker
TechCrunch obtained a copy of the hackers’ chat logs from Prodaft, which contain details about key members of the ransomware gang.
These members include “YY” (Black Basta’s main administrator); “Lapa” (another of Black Basta’s key leaders); “Cortes” (a hacker linked to the Qakbot botnet); and “Trump” (also known as “AA” and “GG”).
The hacker “Trump” is believed to be an alias used by Oleg Nefedovaka, who Prodaft researchers describe as “the group’s main boss.” The researchers linked Nefedovaka to the now-defunct Conti ransomware group, which shut down soon after its internal chat logs leaked following the gang declaring its support for Russia’s full-scale invasion of Ukraine in 2022.
The leaked Black Basta chat logs also quote one member as saying they are 17-years-old, TechCrunch has seen.
By our count, the leaked chats contain 380 unique links related to company information hosted on Zoominfo, a data broker that collects and sells access to businesses and their employees, which the chatlogs show the hackers used to research the companies they targeted. The links also give some indication of the number of organizations targeted by the gang during the 12-month period.
The chat logs also reveal unprecedented insights into the group’s operations. The messages include details on Black Basta’s victims, copies of phishing templates used in their cyberattacks, some of the exploits used by the gang, cryptocurrency addresses associated with ransom payments, and details about ransom demands and victims’ negotiations with hacked organizations.
We also found chat logs of the hackers discussing a TechCrunch article about ongoing Qakbot activity, despite an earlier FBI takedown operation aimed at knocking the notorious botnet offline.
TechCrunch also found chat logs that named several previously unknown targeted organizations. This includes the failed U.S. automotive giant Fisker; healthtech provider Cerner Corp, which is now owned by Oracle; and U.K.-based travel firm Hotelplan. It is not yet known if the companies were breached, and none of the companies responded to TechCrunch’s inquiries.
The chat logs appear to show the gang’s efforts in exploiting security bugs in enterprise network devices, such as routers and firewalls that sit on the perimeter of a company’s network and act as digital gatekeepers.
The hackers boasted their ability to exploit vulnerabilities in Citrix remote access products to break into at least two company networks. The gang also talked about exploiting vulnerabilities in Ivanti, Palo Alto Networks and Fortinet software to carry out cyberattacks.
A conversation between Black Basta members also suggests that some of the group were worried about being investigated by Russian authorities in response to geopolitical pressures. While Russia has long been a safe haven for ransomware gangs, Black Basta was also concerned about actions brought by the U.S. government.
Messages sent after the group’s breach of Ascension’s systems warned that the FBI and CISA are “100% obliged” to get involved and could lead to the agencies “taking a tough stance on Black Basta.”
Black Basta’s dark web leak site, which it uses to publicly extort victims into paying the gang a ransom demand, was offline at the time of publication.
