Inside Black Basta’s Exposed Internal Chat Logs: A Firsthand Look
The other day, I got my hands on Black Basta’s internal chat logs, a ransomware group known for causing over $100 Million in damages. This isn’t just another data breach; it’s a rare, unfiltered look into the inner workings, conflicts, and strategies of a criminal organization, a look into how this group really operates, the fights they have, and even some of the mistakes they’ve made.
Hi, my name is Suyesh Prabhugaonkar, and I’m a Security Engineer with a specialization in cloud SecOps and a passion for all things cyber-related. Here are some of the most interesting things I’ve found.
1. Internal Disputes & Operational Flaws
Betrayal from Within
- Multiple entries reveal operators taking ransom payments without providing the promised decryption keys.
- These actions not only harm the victims but also create deep rifts among team members, weakening overall operational integrity.
Signs of Organizational Strain
- Constant internal disputes and pressures are evident in the tone of the messages.
- Administrators report feeling overburdened and undervalued — a sign that financial pressures may be destabilizing the group.
2. Strategic Intelligence Gathering
ZoomInfo Links
- The logs include 367 unique ZoomInfo links, indicating a large-scale, deliberate effort to collect detailed profiles on potential targets.
- These links likely represent hundreds of companies under surveillance, highlighting the gang’s capability to plan and execute well-informed attacks.
Methodical Targeting
- The consistent use of intelligence tools shows that Black Basta’s operations are not random but are based on calculated risk assessments.
- This methodical approach enables the gang to pinpoint vulnerabilities in sectors like healthcare, defense, and technology, ensuring high-impact attacks.
3. Exposure of Key Personnel
Lapa
- His messages indicate heavy workload and low compensation, painting a picture of an overworked administrator facing constant internal criticism.
- Lapa’s stress and dissatisfaction may be a driving factor behind the leak.
Cortes
- Associated with the Qakbot group, Cortes appears uncomfortable with certain operations, particularly the attacks on Russian banks.
- His distancing from these actions suggests a possible ideological split, undermining group cohesion.
YY
- As the main support administrator, YY is depicted as the steady force behind Black Basta’s operations.
- His consistent role contrasts with the internal turmoil, showing how vital he is in keeping the group functional.
Trump (GG/AA):
- Likely representing Oleg Nefedov, the group’s boss, whose leadership is characterized by a focus on personal financial gain.
- His decisions, which often disregard the welfare of his team, emerge as a critical point of friction within the organization.
4. Additional Technical Insights
Emergence of New Leak Sites:
- New domains such as stuffstevenpeters2 (.) top (registered on February 12, 2024, IP: 185 (.) 68 (.) 93 (.) 191) and onlylegalstuff3 (.) top (registered on June 17, 2024, IP: 185 (.) 68 (.) 93 (.) 185) are now active.
- These domains are managed via AS56577 (ASRELINK) in Russia.
- These details tie Black Basta’s operations to other known threat actors like UNC2452, suggesting deep, interconnected networks within cybercrime circles.
Time-frame & Communication Volume:
- The archive spans from September 18, 2023, to September 28, 2024, offering over a year’s worth of internal discussions.
- The sheer duration suggests a large and detailed dataset that can reveal trends over time.
So who is Black Basta?
Black Basta emerged in April 2022 as a ransomware-as-a-service (RaaS) operation that quickly became notorious for its high-profile attacks. Operating on a RaaS model, Black Basta enables affiliates to carry out attacks in exchange for a share of the ransom. Their operations have targeted major players in industries such as healthcare, defense, and technology — impacting victims like German defense contractor Rheinmetall, Hyundai’s European division, BT Group, U.S. healthcare giant Ascension, and more.
Between April 2022 and May 2024, Black Basta affiliates breached over 500 organizations worldwide and collected an estimated $100 million in ransom payments through wire payments, Bitcoin, and other cryptocurrencies. Their double extortion tactics — encrypting data and threatening to publish stolen information — have made them a formidable threat in the global cybercrime landscape.
Why This Leak Matters
A Warning to Cybercrime
This leak reminds us that no criminal organization is invincible. Just like the Conti ransomware leak in 2022, these chats expose internal problems that could lead to further developments.
Valuable Lessons for Cyber Defenders
For cybersecurity professionals, the leak is a goldmine of information. By studying these chats, defenders can learn how Black Basta plans its attacks, how it negotiates ransoms, and where it makes mistakes. This insight can lead to better defense strategies and help protect companies from similar attacks. It also shows their level of expertise, including detailed system design and network diagrams, Kanban charts and infrastructure, showcasing that RaaS groups are just as organized, if not more organized than many companies out there. Setting aside their internal conflicts, they treat it as a serious business, and cyber defenders should take that into consideration when protecting against ransomware attacks.
Final Thoughts
Getting a look inside Black Basta’s leaked chats was both revelatory and disturbing. What I found was not just a collection of technical details, but a human story of stress, betrayal, and operational failure within a criminal organization. These findings highlight that even the most sophisticated cybercriminal groups have their breaking points. It’s a powerful reminder that the fight against cybercrime is ongoing, and every piece of intelligence brings us closer to a safer digital world.
What do you think will happen next? Share your thoughts and join the discussion. If you found this story insightful, please share it with your network.
Let’s stay informed and work together. Stay safe and happy hacking!
