Hundreds of thousands of internal messages from the Black Basta ransomware gang were leaked by a Telegram user, prompting security researchers to bust out their best Russian translations post haste.
A user going by the name āExploitWhispersā uploaded the chats in the form of a JSON file nearly 50MB in size to Mega, which has since removed the download link.
Alas, the cyber threat intelligence (CTI) community flocked to the rare trove of information to glean any and all insights they could. The problem: Itās all in Russian, so translating every message and turning that into actionable intel will take some time.
The threat intelligence team at PRODAFT said on Thursday that the chats, which were leaked on February 11, followed an internal conflict largely driven by a single figure within the organization.
āAs part of our continuous monitoring, weāve observed that Black Basta (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts,ā it said. āSome of its operators scammed victims by collecting ransom payments without providing functional decryptors.
āThe internal conflict was driven by āTrampā (LARVA-18), a known threat actor who operates a spamming network responsible for distributing Qbot. As a key figure within Black Basta, his actions played a major role in the groupās instability.
āOn February 11, 2025, a major leak exposed Black Basta internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.ā
A list of highlights from the chats so far, curated from posts made across the CTI community, can be found below:
Ransom demands went deep into the tens of millions, according to one December 2023 ransom note
The group was charging around $1 million for a yearās access to its loader
One affiliate is a child aged 17 years
Black Basta goes to great lengths to procure VPN exploits
It also maintains a spreadsheet of potential victims it wishes to target, which are not selected at random
After seeing Scattered Spiderās success with social engineering, its affiliates adopted similar techniques and used phone calls to make initial contact with company personnel
Key gang members did not trust āMr LockBitā
It was known within the group that its ransomware was less effective than rivals, which drove some affiliates to join Cactus ransomware instead
One PRODAFT CTI analyst also broke down the main figures within the group, claiming a character they named as āTrampā was likely the leader of the gang.
He and Bio used to work together at Conti, which also suffered a similar infamous internal chat leak in 2022, the researchers believe.
Lapa is one of the main administrators of the group, but appears to be paid markedly less than other senior members and is frequently insulted by his boss.
YY is another main admin and makes āa good salary,ā although the chats donāt list specific figures. Under the watch of Lapa and YY, the group attacked Russian banks which is thought to have brought significant heat on the group from domestic law enforcement.
The nicknames were linked to what were described as the crimsā āreal names,ā although weāve no way of knowing whether these are aliases.
Ransomware scum make it personal for Reg readers by impersonating tech support
Microsoft says more ransomware stopped before reaching encryption
Russiaās FIN7 is peddling its EDR-nerfing malware to ransomware gangs
Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware
Cortes is part of the Qakbot operation, which often works alongside Black Basta, but distanced himself from the ransomware crew following the attacks on Russian banks. Itās understandable, given that Russia generally turns a blind eye to cybercrime unless it targets organizations within Putinland.
The leaked messages span September 18, 2023, to September 28, 2024. The Register has not yet reviewed the chats in full, but the date ranges suggest intelligence related to many high-profile attacks could be hiding among them. They include:
The UKās Southern Water
Healthcare company Synlab Italia
US Catholic healthcare network Ascension
Jet engine dealer Willis Lease Finance
Belgian beer slinger Duvel Moortgat
Hyundai Europe
Veolia North America
Government of Chileās customs department
Toronto Public Library
Black Basta was known for targeting critical national infrastructure organizations, so the fact that so many feature in the list, and that researchers confirmed its āhit listā spreadsheet was not an opportunistic one, does not come as a surprise.
And for anyone wanting to scour the records themselves, the folks over at Hudson Rock have been quick to create what theyāre calling BlackBastaGPT ā an interactive ChatGPT-powered tool allowing researchers to uncover details from the chats. Ā®
