More than a year’s worth of internal communications from one of the world’s most active ransomware syndicates have been published online in a leak that exposes tactics, trade secrets, and internal rifts of its members.
The communications come in the form of logs of more than 200,000 messages members of Black Basta sent to each other over the Matrix chat platform from September 2023 to September 2024, researchers said. The person who published the messages said the move was in retaliation for Black Basta targeting Russian banks. The leaker’s identity is unknown; it’s also unclear if the person responsible was an insider or someone outside the group who somehow gained access to the confidential logs.
How to be your own worst enemy
Last year, the FBI and Cybersecurity and Infrastructure Security Agency said Black Basta had targeted 12 of the 16 US critical infrastructure sectors in attacks mounted on 500 organizations around the world. One notable attack targeted Ascention, a St. Louis-based health care system with 140 hospitals in 19 states. Other victims include Hyundai Europe, UK-based outsourcing firm Capita, the Chilean Government Customs Agency, and UK utility company Southern Water. The native Russian-speaking group has been active since at least 2022.
“BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies,” a member of security firm Prodraft wrote Thursday. “Keep burning our intelligence sources, we don’t mind.”
Researchers who have read the Russian-language texts said they exposed internal rifts in the secretive organization that have escalated since one of its leaders was arrested because it increases the threat of other members being tracked down as well. The heightened tensions have contributed to growing rifts between the current leader, believed to be Oleg Nefedov, and his subordinates. One of the disagreements involved his decision to target a bank in Russia, which put Black Basta in the crosshairs of law enforcement in that country.
“It turns out that the personal financial interests of Oleg, the group’s boss, dictate the operations, disregarding the team’s interests,” a researcher at Prodraft wrote. “Under his administration, there was also a brute force attack on the infrastructure of some Russian banks. It seems that no measures have been taken by law enforcement, which could present a serious problem and provoke reactions from these authorities.”
The leaked trove also includes details about other members, including two administrators using the names Lapa and YY, and Cortes, a threat actor linked to the Qakbot ransomware group. Also exposed are more than 350 unique links taken from ZoomInfo, a cloud service that provides data about companies and business individuals. The leaked links provide insights into how Black Basta members used the service to research the companies they targeted.
Security firm Hudson Rock said it has already fed the chat transcripts into ChatGPT to create BlackBastaGPT, a resource to help researchers analyze Black Basta operations.