Experts race to extract intel from Black Basta internal chat leaks

Hundreds of thousands of internal messages from the Black Basta ransomware gang were leaked by a Telegram user, prompting security researchers to bust out their best Russian translations post haste.

A user going by the name "ExploitWhispers" uploaded the chats in the form of a JSON file nearly 50MB in size to Mega, which has since removed the download link.

Alas, the cyber threat intelligence (CTI) community flocked to the rare trove of information to glean any and all insights they could. The problem: It's all in Russian, so translating every message and turning that into actionable intel will take some time.

The threat intelligence team at PRODAFT said on Thursday that the chats, which were leaked on February 11, followed an internal conflict largely driven by a single figure within the organization.

"As part of our continuous monitoring, we've observed that Black Basta (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts," it said. "Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.

"The internal conflict was driven by 'Tramp' (LARVA-18), a known threat actor who operates a spamming network responsible for distributing Qbot. As a key figure within Black Basta, his actions played a major role in the group's instability.

"On February 11, 2025, a major leak exposed Black Basta internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

A list of highlights from the chats so far, curated from posts made across the CTI community, can be found below:

• Ransom demands went deep into the tens of millions, according to one December 2023 ransom note

• The group was charging around $1 million for a year's access to its loader

• One affiliate is a child aged 17 years

• Black Basta goes to great lengths to procure VPN exploits

• It also maintains a spreadsheet of potential victims it wishes to target, which are not selected at random

• After seeing Scattered Spider's success with social engineering, its affiliates adopted similar techniques and used phone calls to make initial contact with company personnel

• Key gang members did not trust "Mr LockBit"

• It was known within the group that its ransomware was less effective than rivals, which drove some affiliates to join Cactus ransomware instead

One PRODAFT CTI analyst also broke down the main figures within the group, claiming a character they named as "Tramp" was likely the leader of the gang.

He and Bio used to work together at Conti, which also suffered a similar infamous internal chat leak in 2022, the researchers believe.

Lapa is one of the main administrators of the group, but appears to be paid markedly less than other senior members and is frequently insulted by his boss.

YY is another main admin and makes "a good salary," although the chats don't list specific figures. Under the watch of Lapa and YY, the group attacked Russian banks which is thought to have brought significant heat on the group from domestic law enforcement.

The nicknames were linked to what were described as the crims' "real names," although we've no way of knowing whether these are aliases.

• Ransomware scum make it personal for Reg readers by impersonating tech support
• Microsoft says more ransomware stopped before reaching encryption
• Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs
• Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Cortes is part of the Qakbot operation, which often works alongside Black Basta, but distanced himself from the ransomware crew following the attacks on Russian banks. It's understandable, given that Russia generally turns a blind eye to cybercrime unless it targets organizations within Putinland.

The leaked messages span September 18, 2023, to September 28, 2024. The Register has not yet reviewed the chats in full, but the date ranges suggest intelligence related to many high-profile attacks could be hiding among them. They include:

• The UK's Southern Water

• Healthcare company Synlab Italia

• US Catholic healthcare network Ascension

• Jet engine dealer Willis Lease Finance

• Belgian beer slinger Duvel Moortgat

• Hyundai Europe

• Veolia North America

• Government of Chile's customs department

• Toronto Public Library

Black Basta was known for targeting critical national infrastructure organizations, so the fact that so many feature in the list, and that researchers confirmed its "hit list" spreadsheet was not an opportunistic one, does not come as a surprise.

And for anyone wanting to scour the records themselves, the folks over at Hudson Rock have been quick to create what they're calling BlackBastaGPT – an interactive ChatGPT-powered tool allowing researchers to uncover details from the chats. ®