A massive leak of internal chat logs from the notorious ransomware gang, Black Basta, has been made public, offering an unprecedented glimpse into the group’s inner workings and tactics. The leak, which comprises over a year’s worth of conversations, was published online and provides valuable insights into the gang’s strategies and internal conflicts.
The leaked chats, which took place between September 18, 2023, and September 28, 2024, on the Matrix messaging platform, were initially released by an individual known as ExploitWhispers on February 11, 2025. The leaker claimed to have released the data because the group was targeting Russian banks, but their identity remains unknown.
Black Basta first gained notoriety in April 2022, utilizing the QakBot (also known as QBot) as a delivery vehicle. According to a U.S. government advisory published in May 2024, the double extortion crew is estimated to have targeted over 500 private industry and critical infrastructure entities in North America, Europe, and Australia.
Research by Elliptic and Corvus Insurance suggests that the prolific ransomware group netted at least $107 million in Bitcoin ransom payments from over 90 victims by the end of 2023.
Swiss cybersecurity company PRODAFT notes that the financially motivated threat actor, also tracked as Vengeful Mantis, has been “mostly inactive since the start of the year” due to internal strife, with some operators scamming victims by collecting ransom payments without providing a working decryptor.
Key members of the Russia-linked cybercrime syndicate have reportedly jumped ship to the CACTUS (also known as Nurturing Mantis) and Akira ransomware operations.
According to PRODAFT, the internal conflict was driven by ‘Tramp’ (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBot. As a key figure within BLACKBASTA, Tramp’s actions played a major role in the group’s instability.
- Lapa is one of the main administrators of Black Basta and is involved in administrative tasks.
- Cortes is associated with the QakBot group, which has sought to distance itself in the wake of Black Basta’s attacks against Russian banks.
- YY is another administrator of Black Basta who is involved in support tasks.
- Trump is one of the aliases for “the group’s main boss” Oleg Nefedov, who also goes by the names GG and AA.
- Trump and another individual, Bio, worked together in the now-dismantled Conti ransomware scheme.
- One of the Black Basta affiliates is believed to be a minor aged 17 years.
- Black Basta has begun to actively incorporate social engineering into their attacks following the success of Scattered Spider.
Qualys notes that the Black Basta group leverages known vulnerabilities, misconfigurations, and insufficient security controls to obtain initial access to target networks. The discussions show that SMB misconfigurations, exposed RDP servers, and weak authentication mechanisms are routinely exploited, often relying on default VPN credentials or brute-forcing stolen credentials.
 |
| Top 20 CVEs Actively Exploited by Black Basta |
Another key attack vector entails the deployment of malware droppers to deliver the malicious payloads. In a further attempt to evade detection, the e-crime group has been found to use legitimate file-sharing platforms like transfer.sh, temp.sh, and send.vis.ee for hosting the payloads.
“Ransomware groups are no longer taking their time once they breach an organization’s network,” Saeed Abbasi, manager of product at Qualys Threat Research Unit (TRU), said. “Recently leaked data from Black Basta shows they’re moving from initial access to network-wide compromise within hours โ sometimes even minutes.”
The disclosure comes as Check Point’s Cyberint Research Team revealed that the Cl0p ransomware group has resumed targeting organizations, listing organizations that were breached on its data leak site following the exploitation of a recently disclosed security flaw (CVE-2024-50623) impacting the Cleo managed file transfer software.
“Cl0p is contacting these companies directly, providing secure chat links for negotiations and email addresses for victims to initiate contact,” the company said in an update posted last week. “The group warned that if the companies continue to ignore them, their full names will be disclosed within 48 hours.”
The development also follows an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a wave of data exfiltration and ransomware attacks orchestrated by the Ghost actors targeting organizations across more than 70 countries, including those in China.
The group has been observed rotating its ransomware executable payloads, switching file extensions for encrypted files, and modifying ransom note text, leading the group to be referred to by other names such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
“Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware,” the agency said. “Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.”
Ghost is known to use publicly available code to exploit internet-facing systems by employing various vulnerabilities in Adobe ColdFusion (CVE-2009-3960, CVE-2010-2861), Fortinet FortiOS appliances (CVE-2018-13379), and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, aka ProxyShell).
A successful exploitation is followed by the deployment of a web shell, which is then utilized to download and execute the Cobalt Strike framework. The threat actors have also been observed using a wide range of tools like Mimikatz and BadPotato for credential harvesting and privilege escalation, respectively.
“Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on additional systems on the victim network โ often for the purpose of initiating additional Cobalt Strike Beacon infections,” CISA said. “In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.”
