Black Basta is latest ransomware group to be hit by leak of chat logs

The Black Basta ransomware group has become the latest criminal enterprise to be hit by a release of internal chat logs, potentially revealing identifying details about the individuals behind the scheme and their operations.

Unlike previous ransomware chat leaks — with Conti being first exposed by a Ukrainian affiliate upset at the Russian invasion of their country, and then another who complained about how much money they were making — this incident was purportedly inspired by Black Basta targeting “domestic banks” in Russia.

The gang had been under the spotlight following a series of high-profile extortion incidents since it launched in 2022, including an attack on the Catholic healthcare giant Ascension Health in the United States, and against the British government outsourcer Capita.

Their Russian-language chat messages — just under 200,000 shared on the messaging platform Matrix between September 2023 and September 2024 — were initially leaked last week by an individual using the handle ExploitWhispers.

The files do not contain any information about who captured the messages, and it is not clear whether the individual who shared them was associated with the ransomware scheme, is an independent researcher, or if the leak is part of a covert law enforcement disruption operation.

Read more: UK government urged to get on ‘forward foot’ with ransomware instead of ‘absorbing the punches’

Several of the crew behind the Black Basta scheme were part of a criminal network that had formerly operated the Conti and Ryuk ransomware brands, as well as the TrickBot banking trojan. More than a dozen of these individuals have been named and sanctioned by Western law enforcement, which is understood to have continued to monitor their activities.

PRODRAFT, a Switzerland-based cybersecurity company, said Black Basta “has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.”

The chat logs provide visibility into the ransomware group’s operations, including the roles different individuals play in terms of tasking, testing and debugging technical issues. The logs also contain credentials, alongside evidence of attempts to sell hacking tools such as a modified version of Cobalt Strike.

In some areas the chat users are told not to attack companies that have larger revenues, or companies that have recently suffered large financial losses, although the reason for avoiding the larger companies is not given. A script shared in the chat includes a “whitelist” mechanism that would prevent the targeting of specific victims.

The messages also show the gang’s leaders directing subordinates to not “take” certain targets that may have already been compromised — particularly one in the United Kingdom and one in the Netherlands — although the reason given wasn’t immediately apparent. Recorded Future News has contacted the companies identified for more information about these alleged security breaches.

Researchers are continuing to examine the logs and share their findings, with Hudson Rock providing an LLM to query the material.