A massive collection of chat logs, allegedly from the Black Basta ransomware group, has been leaked online, revealing key members of the notorious Russia-linked gang.

The leaked chat logs, spanning over 200,000 messages from September 18, 2023, to September 28, 2024, were provided to the threat intelligence firm Prodaft by a leaker. According to Prodaft, the leak occurred amidst internal conflict within the Black Basta group, following instances where members failed to provide functional decryption tools to victims despite receiving ransom payments.

The identity of the leaker, who uses the alias “ExploitWhispers” on Telegram, remains unknown, and it is unclear whether they were a member of the Black Basta gang.

Black Basta is a prolific Russian-language ransomware gang, linked by the U.S. government to numerous attacks on critical infrastructure and global businesses. Notable victims include U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs offer a unique insight into the gang’s operations, including previously unreported targets.

According to a post on X by Prodaft, the leaker stated that the hackers “crossed the line” by targeting Russian domestic banks, prompting their decision to expose the group.

The leaker wrote, “So we are dedicated to uncovering the truth and investigating Black Basta’s next steps.”

Targeted victims, exploits, and a teenage hacker

TechCrunch obtained a copy of the hackers’ chat logs from Prodaft, which contain information about key members of the ransomware gang, including “YY” (the main administrator), “Lapa” (another key leader), “Cortes” (a hacker linked to the Qakbot botnet), and “Trump” (also known as “AA” and “GG”).

The hacker “Trump” is believed to be an alias used by Oleg Nefedovaka, described by Prodaft researchers as the group’s main boss. Nefedovaka has been linked to the now-defunct Conti ransomware group, which shut down after its internal chat logs leaked following the gang’s support for Russia’s invasion of Ukraine in 2022.

The leaked Black Basta chat logs also reveal that one member claims to be 17 years old, as seen by TechCrunch.

The leaked chats contain 380 unique links related to company information hosted on Zoominfo, a data broker that collects and sells access to businesses and their employees. This suggests the gang used the platform to research targeted companies, providing an indication of the number of organizations targeted during the 12-month period.

The chat logs offer unprecedented insights into the group’s operations, including details on victims, phishing templates, exploits used, cryptocurrency addresses associated with ransom payments, and negotiations with hacked organizations.

The chat logs also show the hackers discussing a TechCrunch article about ongoing Qakbot activity, despite an earlier FBI takedown operation aimed at knocking the notorious botnet offline.

TechCrunch found chat logs naming several previously unknown targeted organizations, including the failed U.S. automotive giant Fisker, healthtech provider Cerner Corp (now owned by Oracle), and U.K.-based travel firm Hotelplan. It is unclear whether these companies were breached, and none responded to TechCrunch’s inquiries.

The chat logs appear to show the gang’s efforts in exploiting security bugs in enterprise network devices, such as routers and firewalls, to break into company networks.

The hackers boasted about exploiting vulnerabilities in Citrix remote access products to breach at least two company networks. The gang also discussed exploiting vulnerabilities in Ivanti, Palo Alto Networks, and Fortinet software to carry out cyberattacks.

A conversation between Black Basta members suggests that some were concerned about being investigated by Russian authorities due to geopolitical pressures. The group was also worried about actions taken by the U.S. government.

Messages sent after the group’s breach of Ascension’s systems warned that the FBI and CISA are “100% obliged” to get involved and could lead to the agencies “taking a tough stance on Black Basta.”

At the time of publication, Black Basta’s dark web leak site, used to publicly extort victims into paying ransom demands, was offline.