In a surprising turn of events on February 20, 2025, the cybersecurity community gained unexpected insights into the notorious Black Basta ransomware group. An individual using the alias ExploitWhispers leaked a file on Telegram, purportedly containing the group's internal chat logs. This JSON dataset comprises 196,045 messages from a Matrix/Element chat, primarily in Russian, spanning from September 18, 2023, to September 28, 2024.

Unveiling the Black Basta Ransomware Group

The identity of the leaker and their motives remain unclear, though ExploitWhispers accused Black Basta of targeting Russian banks. Initial analysis suggests the data is largely authentic, though manipulation cannot be ruled out. Black Basta, a ransomware-as-a-service (RaaS) group, emerged in April 2022 and has attacked over 500 organizations globally, including sectors like healthcare and manufacturing. Notable victims include Ascension and Dish Network. By November 2023, the group had amassed over $100 million in ransom payments. However, since January 2025, no new victims have been reported, and the group's leak site is down, hinting at internal discord.

Leadership and Internal Dynamics

Founded by Conti Team 3, also known as Tramp’s team, Black Basta was led by an individual using the aliases gg and aa. Investigations suggest this leader is likely Oleg Nefedov, a Russian citizen. The group operated with a structured hierarchy, featuring specialized roles in infrastructure management, malware development, and negotiations. Members worked under strict supervision, with some operating independently as affiliates.

  • Leader: Tramp, possibly Oleg Nefedov, coordinated operations and maintained strict control.
  • Structure: The group had offices, likely in Moscow, and operated with a clear hierarchy.
  • Specializations: Members focused on infrastructure, initial access, malware obfuscation, and negotiations.

Black Basta's Infrastructure and Operations

The leaked data provides a glimpse into Black Basta's infrastructure. The group frequently changed Matrix servers for operational security, migrating to a new server in September 2024. This move coincided with Tramp’s brief arrest in Armenia. Black Basta's infrastructure was hosted on legitimate providers like Hetzner, acquired through third-party resellers accepting cryptocurrency payments. The group used bulletproof hosting services for deploying abuse-resistant C2 servers.

Hosting and Obfuscation Tactics

Black Basta's infrastructure management involved strategic obfuscation. They preferred acquiring servers from "grey" hosting companies to rotate and conceal their infrastructure. Bulletproof hosting was used sparingly, with notable mentions of "the Abkhaz hosting" service. This approach helped obfuscate their Cobalt Strike servers, a tool used for establishing command and control.

  • Hosting Providers: Servers were primarily hosted on Hetzner, acquired via resellers.
  • Obfuscation Strategy: Infrastructure was concealed using offshore hosting and proxies.
  • Bulletproof Hosting: Used for deploying Cobalt Strike and fast-flux capabilities.

The Black Basta chat leak offers a rare glimpse into the inner workings of a sophisticated ransomware group. The data reveals a structured organization with specialized roles and a complex infrastructure strategy. This leak underscores the importance of continuous vigilance and analysis in the cybersecurity landscape. By leveraging these insights, cybersecurity professionals can better understand and counteract the evolving tactics of cybercriminal organizations.

The link has been copied!