A leaker known as ExploitWhispers has exposed the Black Basta ransomware gang’s chat logs on the popular MEGA file-sharing platform and on a dedicated Telegram channel.
This is hardly the first time an insider with access has exposed a ransomware group’s internal communications. In February 2022, an insider leaked 60,000 messages belonging to the Conti ransomware group after it declared support for Russia during the Ukraine Invasion.
While domestic attacks likely contributed to the leak, the cybercrime gang also grappled with internal wrangles, with some operators receiving ransom without providing decryption keys.
Disgruntled member leaked Black Basta ransomware gang’s chat logs
While the leaker did not explain why they leaked the Black Basta ransomware gang’s chat logs, threat intelligence firm PRODAFT suggested it was due to the cybercrime gang’s targeting of Russian banks.
“On February 11, 2025, a major leak exposed BLACKBASTA’s internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks,” noted PRODAFT.
The leaked chat logs span nearly a year between September 18, 2023, and September 28, 2024. They include phishing templates, ransom emails, victims’ credentials, cryptocurrency addresses, confirmation methods, data files, and ZoomInfo links used to identify companies.
The chat logs also exposed the group members’ information including Lapa (admin), Cortes, YY (main admin), and the ransomware gang’s leader Oleg Nefedovaka also known as Trump, GG, or AA. Lapa was underpaid and degraded by his boss, while YY was well paid and enabled by Lapa to attack Russian banks.
The chats also revealed that the group charged about $1 million annually for its loader, recruited a 17-year-old affiliate, its ransom demands ran into tens of millions, and was less effective than other ransomware gangs. The ransomware gang also adopted Scattered Spider’s social engineering tactics and maintained a highly-curated list of potential victims.
While the motive for leaking the chat logs was likely due to the Russian ransomware gang’s domestic attacks, internal wrangles also likely played a role.
For example, the leaker characterized the group leader Nefedovaka as using the ransomware gang for their personal financial gain at the expense of other group members’ interests.
Another group member “Tramp” also known as Larva-18 was accused of instigating internal conflicts and scamming victims by collecting ransom without providing decryption keys, potentially undermining the gang’s reputation. Tramp previously worked with Conti which suffered a similar leak.
Subsequently, some members migrated to other cybercrime gangs such as Cactus and Akira, resulting in Black Basta’s decline, with the last attack ransomware recorded late last year.
Meanwhile, Russian law enforcement have not responded to news of the group targeting the country’s banking infrastructure.
However, they have usually ignored cyber gangs operating from the country and wreaking havoc across the world, despite international calls to rein them in. Likely, this will change after the group started targeting Russian banks.
Black Basta ransomware gang active since 2022
First detected in April 2022, the Black Basta ransomware gang filled the void left by the now-defunct Conti ransomware group, victimizing over 500 organizations worldwide by May 2024, according to a CISA advisory.
Its notable victims include U.S. healthcare giant Ascension, Hyundai European division, BT Group (British Telecom), German defense contractor Rheinmetall, American Dental Association, automation company ABB, Yellow Pages Canada, British outsourcing firm Capita, and Knauf.
Between its launch and November 2023, the Black Basta collected over $100 million in ransom payments from 90 victims, according to British blockchain analytics firm Elliptic.
