Black Basta is latest ransomware group to be hit by leak of chat logs

Avatar

The Black Basta ransomware group has become the latest criminal enterprise to be hit by a release of internal chat logs, potentially revealing identifying details about the individuals behind the scheme and their operations.

Unlike previous ransomware chat leaks — with Conti being first exposed by a Ukrainian affiliate upset at the Russian invasion of their country, and then another who complained about how much money they were making — this incident was purportedly inspired by Black Basta targeting “domestic banks” in Russia.

The gang had been under the spotlight following a series of high-profile extortion incidents since it launched in 2022, including an attack on the Catholic healthcare giant Ascension Health in the United States, and against the British government outsourcer Capita.

Their Russian-language chat messages — just under 200,000 shared on the messaging platform Matrix between September 2023 and September 2024 — were initially leaked last week by an individual using the handle ExploitWhispers.

The files do not contain any information about who captured the messages, and it is not clear whether the individual who shared them was associated with the ransomware scheme, is an independent researcher, or if the leak is part of a covert law enforcement disruption operation.

Read more: UK government urged to get on ‘forward foot’ with ransomware instead of ‘absorbing the punches’

Several of the crew behind the Black Basta scheme were part of a criminal network that had formerly operated the Conti and Ryuk ransomware brands, as well as the TrickBot banking trojan. More than a dozen of these individuals have been named and sanctioned by Western law enforcement, which is understood to have continued to monitor their activities.

PRODRAFT, a Switzerland-based cybersecurity company, said Black Basta “has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.”

The chat logs provide visibility into the ransomware group’s operations, including the roles different individuals play in terms of tasking, testing and debugging technical issues. The logs also contain credentials, alongside evidence of attempts to sell hacking tools such as a modified version of Cobalt Strike.

In some areas the chat users are told not to attack companies that have larger revenues, or companies that have recently suffered large financial losses, although the reason for avoiding the larger companies is not given. A script shared in the chat includes a “whitelist” mechanism that would prevent the targeting of specific victims.

The messages also show the gang’s leaders directing subordinates to not “take” certain targets that may have already been compromised — particularly one in the United Kingdom and one in the Netherlands — although the reason given wasn’t immediately apparent. Recorded Future News has contacted the companies identified for more information about these alleged security breaches.

Researchers are continuing to examine the logs and share their findings, with Hudson Rock providing an LLM to query the material.

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

Cybercriminals Can Now Clone Any Brand’s Site in Minutes Using Darcula PhaaS v3

Next Post

Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife

Related Posts

⚡ Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS Tactics, and More

Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks? Step behind the curtain with us this week as we explore breaches born from routine oversights—and the unexpected
Avatar
Read More

New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround

Broadcom has issued security patches to address a high-severity security flaw in VMware Tools for Windows that could lead to an authentication bypass. Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS). "VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control," Broadcom said in an
Avatar
Read More

Indian Court Orders Action to Block Proton Mail Over AI Deepfake Abuse Allegations

A high court in the Indian state of Karnataka has ordered the blocking of end-to-end encrypted email provider Proton Mail across the country. The High Court of Karnataka, on April 29, said the ruling was in response to a legal complaint filed by M Moser Design Associated India Pvt Ltd in January 2025. The complaint alleged its staff had received e-mails containing obscene, abusive
Avatar
Read More