A massive hoard of internal chats has been leaked from the Black Basta ransomware group, rivalling the Conti leaks of late February 2022.
A 47 Mb JSON file of internal Black Basta chat logs was leaked by an actor named ExploitWhispers on February 11, 2025. Its existence did not become general knowledge until February 20, when the threat intelligence firm Prodaft posted brief details.
The post included a note from ExploitWhispers, written in Russian, suggesting the leak happened because Black Basta had ‘hacked domestic banks’ (that is, Russian banks) and in doing so they had crossed the line. Prodaft also suggested that Black Basta has been largely inactive since the beginning of the year ‘due to internal conflicts’.
All of this occurs after the period covered in the 200,000 leaked chats (dating from September 18, 2023, to September 28, 2024). These chat messages are now being analyzed by numerous security vendors and researchers, and reports are beginning to be published. Qualys and VulnCheck, for example, have analyzed the CVEs mentioned within the leak.
VulnCheck notes that 62 unique CVEs are mentioned in the chats, 53 of which are known to have been exploited although only 44 appear in the CISA KEV catalog. Many of the CVEs were being discussed by Black Basta actors within days of their publication, while three were discussed before their official publication.
“In addition to using known exploits,” notes VulnCheck, “there is evidence suggesting that Black Basta has the resources to develop new exploits. On several occasions, they also considered purchasing exploits from external groups with hesitancy.”
Qualys uses the chat logs to provide a ‘do now’ list of defensive priorities. It calls Black Basta ‘relentless’, and says the chats reveal “a hit list of weaponized vulnerabilities they exploit against enterprise networks”. The report provides a list of the top 20 CVEs that demand immediate attention, a separate list of the top 10 misconfigurations routinely exploited by Black Basta ransomware, and a full (appendix) list of all 62 CVEs.
VulnCheck and Qualys unsurprisingly concentrate on the vulnerabilities used or likely to be used by Black Basta and other ransomware gangs. The findings are valuable to cybersecurity defenders seeking a hardening priority list.
Threat intelligence firm Kela and the researcher BushidoToken (known as Will on X) have focused on operational procedures and the dynamics of the group respectively.
Kela focused its analysis on the breach of a Brazilian company in 2023. On October 16, 2023, the chats reveal an RDweb login portal link, with username and password. Cross-referencing these details with its own data lake of infostealing malware logs, Kela deduces that the details came from an infostealer in March 2023, and that the attack started from an infostealer-compromised technical support employee.
It “took the actors 2 days to compromise the company, steal the data and deploy ransomware,” notes Kela. By November 7, the attackers were readying the extortion phase – victim details were added to the leak site, possibly initially in hidden mode. On November 10, details were published on the site, with a timer giving 9 days before the full data would be leaked.
Kela suggests that this is typical of a Black Basta attack: initial access via an RD Web (although VPNs to endpoints are also favored), internally harvesting credentials to gain access to and control over critical systems, and data exfiltration and ransomware deployment. Victim profiling is done via Zoominfo to strengthen the actors’ negotiation leverage and help assess the ransom amount to demand.
“This structured approach, from initial access to data theft and public extortion,” writes Kela, “showcases Black Basta’s strategic use of compromised credentials, internal reconnaissance, and victim profiling to maximize the impact of their ransomware campaigns.”
These three analyses seem to depict a well-oiled professional ransomware business, very different from Prodaft’s description of a gang struggling with internal conflicts. BushidoToken’s analysis of the dynamics of the group, as depicted in the personal chats, may provide further insights. He looked closely at the attack on Ascension Health. On May 8, Ascension announced it had instigated ‘downtime procedures’ because of a cybersecurity incident’.
By May 9, Black Basta was already discussing how to proceed, although it isn’t always easy to tell whether comments are genuine or sarcastic. Nevertheless, a user named ‘tinker’ wants the role of negotiator. In a longer than usual post he suggests that in order to prevent the attack becoming political (noting that an attack by BlackSuit against Octapharma a week earlier had been labeled “hostile actions by Russia”), and to prevent attracting too much heat against themselves, they should unlock the system free of charge (provide a free decryptor) but then go in hard on ransoming the data. It would seem he was eying a ransom figure somewhere near $100 million.
He goes on to explain that he has seen a post on Reddit where a doctor says “I am afraid for my patients and my license. It took me six hours to transfer my patient to palliative care and get a prescription for morphine.” Sentiment within Black Basta seems to change after this. An actor named ‘nn’ asks, “Can I give them the decryption immediately upon request?”
‘gg’ (generally considered a leader within the group) adds “100% of the FBI and CISA are obliged to get involved, and all this has led to the fact that they will take tough tackle on Black Basta.”
‘tinker’ comments, “If someone, God forbid, dies… we will rake the problems on our heads – this will be classified as a terrorist attack.” He went on to raise the Colonial Pipeline attack becoming political. He noted that because of the geopolitical situation at the time (9 months before Russia invaded Ukraine) Putin wished to deescalate the pipeline issue. “As a result… the Russian Federation, they went in hard against the ransomvars.”
He also added, “I don’t want to go to hell if a child with a heart defect dies.”
In the event, Black Basta went further than offering a free decryptor. On May 13, ‘gg’ posted communications with Ascension Health (in reality, probably a Mandiant negotiator), that first provided the decryptor and then demonstrated, with proof, that the stolen data was deleted.
“From these messages,” writes BushidoToken, “it appears no ransom was paid and Black Basta returned the data and deleted it.”
But there is more. “We will not wash off this now and most likely the software will fly to the trash,” says ‘gg’. The researcher interprets this as meaning the group was thinking of ditching the brand of Black Basta and rebranding to another name, adding “The BlackBasta team also mentioned several times during this incident that they were going to have to rebrand because of the attack.”
There is an interesting timeline here. Conti disbanded after the Conti leak. Many researchers believe it effectively rebranded as Black Basta. Now we have the Black Basta leak at a time when the group, according to Prodaft, “has been mostly inactive since the start of the year due to internal conflicts.”
Should we expect to see Black Basta disband and reform under a new name during 2025? That is just idle speculation for now, but an interesting speculation, nonetheless. The one thing we can be sure of is that there will be more analyses of the black Basta leak.
Related: Black Basta Ransomware Hit Over 500 Organizations
Related: Black Basta Ransomware Group Received Over $100 Million From 90 Victims
Related: Black Basta Ransomware Becomes Major Threat in Two Months
Related: Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service