CISO Blog
Season 2 Episode 5 of The Troublemaker CISO: Black Basta Unmasked – A Chat Log Reveal
Buckle up, folks! The notorious Black Basta ransomware gang just took a major hit as their internal chat logs got spilled online. This isn’t just your average leak—it’s a treasure trove revealing their dark secrets, shady tactics, and the infighting simmering among the ranks. Want to know how they operate, who’s running the show, and how you can fortify your defenses against these digital pirates? Dive into the chaos of Black Basta with us and discover how even the murkiest corners of cybercrime can get shed light on!
Hold onto your hats, folks, because in a twist likely to make even the most seasoned hackers cringe, the infamous Black Basta ransomware gang just got hit with a dose of exposure. In February 2025, their internal chat logs spilled onto the internet, lifting the veil on their clandestine operations and potentially outing some key players behind the digital mayhem.
Who is Black Basta?
If you want the full backstory check out our deep dive into Black Basta, available here
Here is the short version: Emerging in April 2022, Black Basta quickly burst onto the scene as a formidable Ransomware-as-a-Service (RaaS) operation. By targeting sectors ranging from healthcare to entertainment, this gang’s reputation precedes them—over 500 organizations globally can attest to their wrath. Their calling card? The notorious double extortion play: encrypt the system and filch sensitive data, then demand a ransom with the threat of public leaks if unpaid.
Word on the street suggests Black Basta might be the unholy offspring of the now-defunct Conti ransomware and FIN7 threat actor groups. Whether a fusion or a reincarnation, they’re built on a foundation of bad intentions and digital crime prowess.
Digging Into Their Methods
With a toolbox full of advanced techniques, Black Basta crafts their attack strategy like a maestro:
– Starting Point: They breach defenses with spear-phishing, insider help, or buying network access. Recently, they even resorted to misusing Microsoft Teams, impersonating IT help desks to trick employees into opening their networks wide open.
– Onward and Upward: Once inside, they move laterally, scooping up credentials with tools like QakBot and Mimikatz. Vulnerabilities like ZeroLogon and PrintNightmare? They exploit those like kids in a candy store.
– Keeping Tabs: Using Cobalt Strike Beacons and SystemBC, they maintain a firm grip on compromised systems.
– The Double Hit: Before encrypting files and appending their signature “.basta” extension, they disable security measures and exfiltrate data with tools such as Rclone and WinSCP, leaving a ransom note as the cherry on top.
The Chat Log Leak Bombshell
Enter the catalyst for chaos: a character named ExploitWhispers unleashed reams of the gang’s internal chat messages via the Matrix platform, covering conversations from September 2023 to September 2024. The logs unveil more than just tactical playbooks—they expose friction and deceit within Black Basta’s ranks.
PRODAFT, keen-eyed cyber defenders, suggest this leak might stem from discord following alleged attacks on Russian banks—a tale not too dissimilar from the notorious Conti leaks. Leaked messages hint at some operators double-crossing victims by taking ransom without decryptors. Some top dogs ditched for rival groups while the rest grappled with the realization that Black Basta’s punch was getting weaker.
And guess what? Names emerged in the chats:
– Lapa: An admin.
– Cortes: Linked to QakBot.
– YY: The prime administrator.
– Trump (aka GG and AA): Allegedly Oleg Nefedov, the head honcho.
Security researchers are scrutinizing the logs, eager to piece together the digital puzzle, with Hudson Rock even rolling out an LLM to delve deeper.
Ladies and gents, as we peer through this unexpected window into the underworld, remember: even the darkest recesses of the internet can be dragged into the light. Keep eyes peeled, ears to the ground, and let’s keep giving troublemakers like Black Basta a run for their crypto.