Black Basta, one of the most vile ransomware gangs, has imploded, and its internal messages have been leaked. Now, anyone can dissect how the ransomware ring operates just by prompting a chatbot.
The ransomware gang is responsible for over 500 compromised organizations, including breaches against huge healthcare organizations and over $100 million in damages. Its activities prompted alerts from the FBI, CISA, and other agencies.
The gang was brought down by internal conflicts. Black Basta’s internal chats were publicly exposed on Telegram.
Cybersecurity firm Hudson Rock fed over a million obtained internal messages to the chatbot and launched an open BlackBastaGPT, which can summarize the data in seconds.
“This AI chatbot is for threat intelligence researchers, letting you dive into Black Basta’s internal chats to unpack their ops, tactics, cash flow, and humor. It’s raw, real, and pulls straight from the data,” the firm said.
How did Black Basta implode?
On February 11th, 2025, a leaker with access to Black Basta's internal Matrix spilled the chat logs on Telegram. Matrix is an open decentralized communication network for end-to-end encrypted messaging.
“The leaker claimed they released the data because the group was targeting Russian banks,” cyber threat intelligence firm Prodaft posted on X.
BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn
undefined PRODAFT (@PRODAFT) February 20, 2025
The researchers noted that Black Basta has been mostly inactive since the start of the year due to internal conflicts. Key members left the gang and joined Cactus ransomware and other gangs. Some operators even scammed victims by taking ransom payments without providing working decryptors.
“The internal conflict was driven by ‘Tramp’ (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBOT. As a key figure within Black Basta, his actions played a major role in the group's instability,” PRODAFT posted.
Black Basta had risen as a faction of the notorious Russian Conti ransomware gang, and the “leak closely resembles the previous Conti leaks.”
What’s in the messages?
Cybersecurity researchers are now analyzing the leaked internal messages as they unveil how the gang communicated and coordinated its operations, what infrastructure and technical tools it used, its tactics, its operational challenges, and others.
According to malware researchers from vx-underground, Black Basta members were extremely interested in VPN exploits, going to great lengths to acquire exploits or find people capable of delivering them.
“One of the BlackBasta affiliates is a minor. They are 17 years old,” vx-underground noted after reviewing part of the messages. “BlackBasta maintains a spreadsheet of victims they're trying to target. It is shared between members, and they collaborate on it together. It has the person of interest, if they've tried social engineering them, and general strategy notes. They often identify multiple targets at companies.”
Regarding the BlackBasta leaks: we haven't reviewed them in totality yet. It's quite a bit of messages in JSON format. It also has some Russian slang which makes it difficult to translate accurately. Thankfully there are some native Russian speakers who have made some interesting…
undefined vx-underground (@vxunderground) February 21, 2025
The tone of the messages seems blunt and even aggressive, filled with frustration or exhaustion. The members don’t sugarcoat any failures but raise high expectations for deadlines. Cybercriminals seem to like to mock their peers for being late or failing.
Black Basta's workflow was previously documented fairly well. As vx-underground summarized, they usually use social engineering to send victims malicious HTA files, which drop executables with commands to connect to the gang-controlled server. From there, cybercriminals deliver actual payloads.
The operators usually give victims 10-12 days to pay the ransom before publishing the stolen data on the dark web.
The chat logs, spanning from September 18th, 2023, to September 28th, 2024, now unveil deceitful practices.
“Some members were pocketing ransom funds without delivering decryption keys,” security engineer Suyesh Prabhugaonkar posted.
“The human element shines through: stress, betrayal, and power struggles aren’t just buzzwords – they’re the very forces that might lead to Black Basta’s downfall. This leak is a stark reminder: even cybercriminal empires have cracks, and they may be their own biggest weakness.”
1/ 🚨 I just got my hands on leaked internal chat logs from Black Basta—the ransomware gang responsible for over $100 Million in damages. These chats reveal hidden conflicts, secret tactics, and more. The findings are revelatory yet disturbing. https://t.co/I0y563joYw
undefined Suyesh Prabhugaonkar (@suye_sh) February 21, 2025
The researcher found 367 unique Zoom links, domains, and IP addresses used by the gang, among other details.
Black Basta exploited weak credentials, exposed RDP servers, unpatched ESXi vulnerabilities, misconfigured VPNs, and social engineering (vishing and phishing) to gain initial access. They often rotated the infrastructure to evade detection and tested new payloads against defenses.
The dataset contains multiple usernames, but a few stand out as key players. GG (Trump) was likely the leader of the gang and was the most active user, involved in task delegation, performance tracking, and technical troubleshooting. He pushed deadlines, demanded results, and applied pressure on others. According to Prodaft, these aliases are used by Oleg Nefedov.
Leaked BlackBasta chat logs contain messages spanning from September 18, 2023, to September 28, 2024. Let's analyze the statements disclosed by the leaker:
undefined 3xp0rt (@3xp0rtblog) February 20, 2025
- Lapa is one of the key administrators of BlackBasta and is constantly busy with administrative tasks. Holding this… https://t.co/KxQVKZBp75 pic.twitter.com/BibWU5P9e8
Another key administrator was Lapa, who was always busy with administrative tasks, frequently insulted by his boss, and earned significantly less compared to other gang members.
“Under his administration, there was a brute force attack on the infrastructure of some Russian banks. So far, no actions seem to have been taken by law enforcement, suggesting that this situation could pose a serious problem and potentially provoke reactions from these authorities,” Prodaft noted.
Your email address will not be published. Required fields are markedmarked