Introduction
A recent leak of more than a year's worth of internal chat logs from the notorious ransomware gang, Black Basta, has provided unprecedented insights into their tactics, internal conflicts, and evolving strategies. This data, originally leaked on February 11, 2025, by an anonymous individual known as ExploitWhispers, reveals extensive details about the group’s operations, financial activities, and vulnerabilities they exploit. The disclosure has shed light on the inner workings of this cybercriminal enterprise and its broader implications for global cybersecurity.
The Black Basta Leak: Origins and Motives
The leaked conversations, conducted in Russian on the Matrix messaging platform, span from September 18, 2023, to September 28, 2024. ExploitWhispers claimed responsibility for the leak, alleging that Black Basta had targeted Russian banks, prompting their decision to expose the group. The leaker’s true identity remains unknown, but the revelations have sparked significant interest among cybersecurity professionals and law enforcement agencies.
Black Basta’s Evolution and Operational Impact
Black Basta first emerged in April 2022, utilizing the now-defunct QakBot (QBot) malware as a primary delivery mechanism. A 2024 advisory by the U.S. government estimated that the ransomware group had attacked over 500 organizations across North America, Europe, and Australia. According to Elliptic and Corvus Insurance, Black Basta amassed at least $107 million in Bitcoin ransom payments from more than 90 victims by the end of 2023.
Swiss cybersecurity firm PRODAFT reported that the group, also tracked under the alias Vengeful Mantis, had become largely inactive in early 2025 due to internal discord. Some members allegedly scammed victims by accepting ransom payments without providing decryption tools, leading to further instability.
Internal Conflicts and Splinter Groups
The leaked logs reveal significant internal disputes, particularly surrounding a key figure known as Tramp (LARVA-18), an operator responsible for managing a QBot spamming network. PRODAFT identified Tramp’s actions as a primary cause of instability within Black Basta. Some members reportedly defected to rival ransomware operations, including CACTUS (Nurturing Mantis) and Akira.
Key revelations from the chat logs include:
Lapa, a central administrator managing Black Basta’s operational tasks.
Cortes, a QakBot affiliate who distanced themselves after Black Basta targeted Russian financial institutions.
YY, another administrator handling support functions.
Trump (alias of Oleg Nefedov), a top leader also known as GG and AA.
A 17-year-old affiliate actively involved in Black Basta’s operations.
A shift toward social engineering tactics inspired by the success of the Scattered Spider threat group.
Attack Methods and Exploited Vulnerabilities
The leaked conversations provide extensive insights into Black Basta’s attack methodologies. According to Qualys, the group exploits known vulnerabilities, misconfigurations, and inadequate security controls to gain initial access to target networks. Frequently used techniques include:
Exploiting SMB misconfigurations, exposed RDP servers, and weak authentication mechanisms.
Brute-forcing VPN credentials or using default login details.
Deploying malware droppers to deliver malicious payloads.
Leveraging legitimate file-sharing services such as transfer.sh, temp.sh, and send.vis.ee to evade detection.
Black Basta has been observed escalating attacks quickly, moving from initial access to full network compromise within hours, sometimes minutes. This rapid execution highlights the increasing efficiency of modern ransomware groups.
Broader Cybersecurity Landscape and Related Threats
The Black Basta leak coincides with renewed activity from other major ransomware groups. Check Point’s Cyberint Research Team recently reported that the Cl0p ransomware gang resumed operations, exploiting a newly disclosed vulnerability (CVE-2024-50623) in Cleo’s managed file transfer software. Cl0p has been contacting victims directly, warning that failure to negotiate will result in full disclosure of their names and compromised data within 48 hours.
Similarly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding a series of ransomware attacks linked to Ghost, an actor targeting organizations across 70 countries. The Ghost group, believed to operate out of China, exploits outdated software vulnerabilities to compromise critical infrastructure, government networks, and private businesses.
Notably, Ghost actors employ tools such as Mimikatz for credential harvesting and BadPotato for privilege escalation. Once inside a network, they deploy Cobalt Strike beacons to facilitate lateral movement, often using Windows Management Instrumentation Command-Line (WMIC) to spread their attacks.
List of Actively Exploited Vulnerabilities
Cybersecurity firm VulnCheck analyzed the leaked Black Basta chat logs and identified 62 unique vulnerabilities (CVEs) referenced in their discussions, 53 of which are known to be actively exploited in the wild. According to GreyNoise, at least 23 of these vulnerabilities have seen active exploitation within the past 24 hours. The most critical include:
CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon)
CVE-2021-44228 – Apache Log4j RCE (Log4Shell)
CVE-2022-30525 – Zyxel Firewall OS Command Injection
CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution
CVE-2023-4966 – Citrix NetScaler ADC Buffer Overflow (Citrix Bleed)
CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation
CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass
CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection
CVE-2024-27198 – JetBrains TeamCity Authentication Bypass
Security experts stress the importance of timely patching to mitigate the risks associated with these vulnerabilities.
Conclusion
The leak of Black Basta’s internal communications offers a rare glimpse into the inner workings of a high-profile ransomware gang. The revelations not only expose operational tactics and internal conflicts but also underscore the evolving nature of cyber threats. As ransomware groups adapt and reorganize, cybersecurity professionals and organizations must remain vigilant, prioritizing robust security measures, timely software updates, and proactive threat intelligence. The incident serves as a stark reminder of the persistent and growing dangers posed by ransomware actors in the digital age.
0 Comments