A collection of chat logs purportedly from the Black Basta ransomware group has been leaked online, revealing information about prominent members of the group, which is believed to be linked to Russia.
These chat logs, encompassing over 200,000 messages dated from September 18, 2023, to September 28, 2024, were provided to threat intelligence company Prodaft by an anonymous leaker. According to the cybersecurity firm, this leak appears to be a consequence of unrest within the Black Basta group, following accusations that certain members were unable to deliver functional decryption tools to some victims despite receiving ransom payments.
The identity of the leaker, who goes by the alias “ExploitWhispers” on Telegram, in terms of their involvement with Black Basta, remains unclear.
Black Basta, recognized as a significant Russian-language ransomware group, has been connected by U.S. authorities to hundreds of attacks targeting critical infrastructure and businesses worldwide. Known victims of the gang include U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs offer an unprecedented glimpse into the gang’s operations, revealing previously unidentified targets.
Prodaft reported on social media that the leaker accused the hackers of overstepping boundaries by targeting Russian domestic banks.
The leaker expressed commitment to uncovering the truth and exploring Black Basta’s future actions.
TechCrunch, which acquired a copy of the hackers’ chat logs from Prodaft, disclosed details on significant members of the ransomware group. These individuals include “YY” (Black Basta’s primary administrator); “Lapa” (another leader within Black Basta); “Cortes” (associated with the Qakbot botnet); and “Trump” (also referred to as “AA” and “GG”).
The hacker known as “Trump” is suggested to be an alias for Oleg Nefedovaka, whom Prodaft researchers describe as “the group’s main boss.” Nefedovaka’s links were also traced to the now-defunct Conti ransomware group, which dissolved following the public exposure of its internal chat logs and after announcing its support for Russia’s full-scale invasion of Ukraine in 2022.
The leaked Black Basta chat logs indicate one member stating they are 17 years old, as observed by TechCrunch.
The leaked chats reportedly include 380 unique links to company information hosted on Zoominfo, a data broker used by the hackers for researching targeted companies. These links also hint at the breadth of organizations targeted over the past year.
According to the chat logs, insights into the operations of the Black Basta group have been revealed. The messages encompass details on the gang’s victims, phishing templates used in cyberattacks, exploits deployed by the group, cryptocurrency addresses linked to ransom payments, and records of negotiations with their victims.
Additionally, chats reveal discussions about a TechCrunch article concerning ongoing Qakbot activity, despite prior efforts by the FBI to dismantle the botnet.
Further chat logs uncover previously unidentified targeted organizations, including the defunct U.S. automotive company Fisker; health tech provider Cerner Corp, now owned by Oracle; and U.K.-based travel company Hotelplan. It remains uncertain if these companies were successfully breached, as none responded to TechCrunch’s inquiries.
The logs suggest that the group exploited security flaws in enterprise network devices, such as routers and firewalls, to gain unauthorized access to company networks. The hackers claimed to have exploited vulnerabilities in Citrix remote access products to infiltrate at least two company networks, and discussed leveraging vulnerabilities in software from Ivanti, Palo Alto Networks, and Fortinet for their cyberattacks.
Conversations among Black Basta members also reveal concerns about investigations from Russian authorities due to geopolitical dynamics. Despite Russia’s historical role as a refuge for ransomware groups, the gang also exhibited apprehension over potential actions from the U.S. government.
Following the breach of Ascension’s systems, messages indicated that FBI and CISA involvement was inevitable and could lead to stringent measures against Black Basta.
At the time of reporting, Black Basta’s dark web site, utilized for public extortion of victims to compel ransom payments, was offline.
