A massive cache of internal chat logs from the notorious Black Basta ransomware group has surfaced online, exposing the identities of key members, operational tactics, and previously undisclosed victims. The leak, containing over 200,000 messages spanning from September 2023 to September 2024, was provided to threat intelligence firm Prodaft by an anonymous whistleblower operating under the alias “ExploitWhispers.”
Internal Conflict and Motivations
The breach appears to be a direct result of internal friction within the Russia-linked syndicate. Reports suggest the group fractured after certain members failed to provide functional decryption tools to victims who had already met ransom demands. Furthermore, the leaker claimed the group “crossed the line” by targeting domestic Russian banks, prompting a mission to expose the gang’s inner workings.
Black Basta has been linked by the U.S. government to hundreds of attacks on critical infrastructure, including high-profile incidents involving Ascension, Southern Water, and Capita. The leaked data offers an unprecedented look at how these attackers research and compromise global businesses.
Key Figures and the “Main Boss”
The logs identify several core operators, including the primary administrator “YY” and a key leader known as “Lapa.” Notably, the data points to “Trump”—also known as “AA” or “GG”—as the group’s main boss. Prodaft researchers have linked this alias to Oleg Nefedovaka, who was previously associated with the now-defunct Conti ransomware group. Adding to the intrigue, the logs contain discussions from a member claiming to be only 17 years old.
Operational Tactics and Unreported Targets
The investigation into the logs reveals a sophisticated methodology for identifying and exploiting victims. The hackers relied heavily on ZoomInfo to scout potential targets, with the cache containing 380 unique links to company profiles. The group’s technical arsenal is equally broad, focusing on perimeter security vulnerabilities:
- Citrix Exploits: Used to breach at least two major corporate networks.
- Infrastructure Attacks: Frequent discussions regarding vulnerabilities in Ivanti, Palo Alto Networks, and Fortinet software.
- Phishing: The logs include templates and strategies used to gain initial access.
The leak also identified several organizations not previously known to be in the crosshairs of Black Basta, including the automotive firm Fisker, health tech provider Cerner Corp (owned by Oracle), and the travel company Hotelplan. While it remains unconfirmed if these specific organizations were successfully breached, the evidence highlights the gang’s aggressive scanning of enterprise-grade network devices.
Geopolitical Pressure and Future Outlook
Despite Russia historically serving as a safe haven for cybercriminals, the chat logs indicate that Black Basta members were increasingly anxious about law enforcement pressure. Following their high-profile attack on the U.S. healthcare organization Ascension, members expressed concern that the FBI and CISA would take a “tough stance” on the group, forcing them to navigate shifting geopolitical risks.
As of the latest reports, Black Basta’s dark web leak site—the portal used to extort victims—has remained offline, signaling a period of significant instability for one of the world’s most dangerous ransomware operations. For further context on their past activities, you can follow updates from Prodaft here.