A data leak has exposed the inner workings of the Black Basta ransomware operation. An unknown entity, going by the name ExploitWhispers, released what they claim are internal Matrix chat logs from the Black Basta ransomware gang. These logs were initially shared on MEGA and then moved to a Telegram channel from September 18, 2023 to September 28, 2024.
Details Leaked in the Black Basta Data Leak
The leaked chat logs contain a wealth of sensitive information. This includes:
- Phishing templates and emails.
- Cryptocurrency addresses used for ransom payments.
- Data drops, locations where stolen data is stored.
- Victims’ credentials.
- Confirmation of previously reported tactics.
- 367 unique ZoomInfo links. Ransomware gangs frequently use ZoomInfo to research potential victims.
Impact of the Black Basta Ransomware Data Leak
The leak provides significant insight into Black Basta’s operations. Cyber threat intelligence company PRODAFT suggests the leak may be a direct result of the gang’s alleged attacks on Russian banks.
PRODAFT stated: “As part of our continuous monitoring, we’ve observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.”
The timing of the leak that is on February 11, 2025 further supports this theory.
Key Figures in the Black Basta Ransomware Operation
ExploitWhispers also revealed information about several key members of the Black Basta gang:
- Lapa: An administrator.
- Cortes: A threat actor linked to the Qakbot group.
- YY: The main administrator.
- Trump (aka GG and AA): Believed to be Oleg Nefedovaka, the group’s boss.
Black Basta’s Activities and Victims
The Black Basta Ransomware-as-a-Service (RaaS) operation emerged in April 2022. It has targeted numerous high-profile victims all over the world, including:
- Rheinmetall (German defense contractor)
- Hyundai’s European division
- BT Group (formerly British Telecom)
- Ascension (U.S. healthcare giant)
- ABB (government contractor)
- American Dental Association
- Capita (U.K. tech outsourcing firm)
- Toronto Public Library
- Yellow Pages Canada
CISA and the FBI reported that Black Basta affiliates breached over 500 organizations between April 2022 and May 2024. Research from Corvus Insurance and Elliptic estimates that the gang racked in approximately $100 million in ransom payments from over 90 victims until November 2023.
This data leak has parallels with previous incidents. For example the Conti ransomware leak in February 2022 where over 170,000 internal chat conversations and source code were released.
