Unveiling the Secrets: Leaked Black Basta Chat Logs Reveal Key Members and Victims of the Notorious Ransomware Gang

Recently, a substantial collection of chat logs from the Black Basta ransomware group has emerged online, revealing critical information about this notorious Russia-linked cybercriminal organization. These leaked messages provide an unprecedented look into the inner workings of the group, which has been involved in numerous attacks on global businesses and critical infrastructure.

Details of the Black Basta Chat Logs Leak

The chat logs, comprising over 200,000 messages from September 18, 2023, to September 28, 2024, were shared with Prodaft, a threat intelligence firm. The leak is reportedly tied to internal disputes within the Black Basta group, where members failed to deliver functional decryption tools to victims despite receiving ransom payments.

Identity of the Leaker

The identity of the leaker, known by the alias ExploitWhispers on Telegram, remains uncertain. It is unclear whether they were affiliated with the Black Basta gang.

Background on Black Basta Ransomware Group

Black Basta is a prominent Russian-language ransomware gang linked to numerous cyberattacks against critical infrastructure and large corporations. Notable victims include:

• Ascension (U.S. healthcare organization)
• Southern Water (U.K. utility company)
• Capita (British outsourcing giant)

According to Prodaft, the leaker expressed outrage over the group’s decision to target Russian domestic banks, stating, “The hackers crossed the line.”

Key Members of Black Basta

The leaked logs reveal the identities of key members within the gang, including:

• YY: The main administrator
• Lapa: Another key leader
• Cortes: Linked to the Qakbot botnet
• Trump: Allegedly Oleg Nefedovaka, the group’s primary leader

Insights from the Leaked Messages

The chat logs offer invaluable insights into the group’s operations, revealing:

• 380 unique links to company information on Zoominfo, indicating potential targets
• Details of phishing templates and cyberattack exploits used by the group
• Cryptocurrency addresses related to ransom payments
• Negotiation details with victims

Newly Identified Targets

Among the previously unknown targets mentioned in the chats are:

• Fisker (failed U.S. automotive company)
• Cerner Corp (healthtech provider, now owned by Oracle)
• Hotelplan (U.K.-based travel firm)

It remains unclear whether these companies were breached, and inquiries have gone unanswered.

Exploitation Techniques Discussed

The messages also highlight the gang’s strategies for exploiting security vulnerabilities in enterprise network devices. Notably, they discussed:

• Exploiting vulnerabilities in Citrix remote access products
• Attacking Ivanti, Palo Alto Networks, and Fortinet software

Concerns Over Investigations

Some members of Black Basta expressed worries about potential investigations by Russian authorities due to increasing geopolitical tensions. Messages indicated apprehension about the U.S. government’s heightened scrutiny and warnings about the involvement of the FBI and CISA following the breach of Ascension’s systems.

Current Status of Black Basta’s Operations

At the time of publication, Black Basta’s dark web site, which they use for extorting victims, was reported to be offline. For further details on ransomware trends and cybersecurity, visit Cybersecurity.gov.