A trove of chat logs allegedly belonging to the notorious Black Basta ransomware group has been leaked online, exposing key members of the prolific Russia-linked gang and offering a rare glimpse into their internal workings. The leak, which includes over 200,000 messages spanning from September 18, 2023, to September 28, 2024, was shared with threat intelligence company Prodaft by a leaker, who claims that the group's internal conflict led to the release of the sensitive information.

The Black Basta ransomware gang has been linked to hundreds of attacks on critical infrastructure and global businesses, with publicly known victims including U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs provide a never-before-seen look inside the ransomware gang, including some of its unreported targets.

The leaked chat logs reveal details about key members of the ransomware gang, including "YY" (Black Basta's main administrator), "Lapa" (another key leader), "Cortes" (a hacker linked to the Qakbot botnet), and "Trump" (also known as "AA" and "GG"). Notably, the hacker "Trump" is believed to be an alias used by Oleg Nefedovaka, who Prodaft researchers describe as "the group's main boss." Nefedovaka has been linked to the now-defunct Conti ransomware group, which shut down soon after its internal chat logs leaked following the gang's declaration of support for Russia's full-scale invasion of Ukraine in 2022.

The chat logs also reveal that one member of the gang is only 17 years old, highlighting the concerning trend of young individuals becoming involved in cybercrime. Furthermore, the logs contain 380 unique links related to company information hosted on Zoominfo, a data broker that collects and sells access to businesses and their employees. These links provide some indication of the number of organizations targeted by the gang during the 12-month period.

The leaked chat logs offer unprecedented insights into the group's operations, including details on Black Basta's victims, copies of phishing templates used in their cyberattacks, some of the exploits used by the gang, cryptocurrency addresses associated with ransom payments, and details about ransom demands and victims' negotiations with hacked organizations. The logs also reveal the gang's efforts in exploiting security bugs in enterprise network devices, such as routers and firewalls, as well as their ability to exploit vulnerabilities in Citrix remote access products, Ivanti, Palo Alto Networks, and Fortinet software to carry out cyberattacks.

A conversation between Black Basta members suggests that some of the group were worried about being investigated by Russian authorities in response to geopolitical pressures. While Russia has long been a safe haven for ransomware gangs, Black Basta was also concerned about actions brought by the U.S. government. Messages sent after the group's breach of Ascension's systems warned that the FBI and CISA are "100% obliged" to get involved and could lead to the agencies "taking a tough stance on Black Basta."

The leak of Black Basta's internal chat logs has significant implications for the cybersecurity community, as it provides valuable insights into the tactics, techniques, and procedures (TTPs) of a prolific ransomware gang. The leak also raises questions about the group's future operations and whether the internal conflict will lead to a fragmentation of the gang or a change in their tactics.

At the time of publication, Black Basta's dark web leak site, which it uses to publicly extort victims into paying the gang a ransom demand, was offline. The leak of the chat logs is a significant blow to the group's operations, and it remains to be seen how they will respond to this unprecedented exposure.