More than a year’s worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented visibility into their tactics and internal conflicts among its members.
The Russian-language chats on the Matrix messaging platform between September 18, 2023, and September 28, 2024, were initially leaked on February 11, 2025, by an individual who goes by the handle ExploitWhispers, who claimed that they released the data because the group was targeting Russian banks. The identity of the leaker remains a mystery.
Black Basta first came under the spotlight in April 2022, using the now-largely-defunct QakBot (aka QBot) as a delivery vehicle. According to an advisory published by the U.S. government in May 2024, the double extortion crew is estimated to have targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia.
Per Elliptic and Corvus Insurance, the prolific ransomware group is estimated to have netted at least $107 million in Bitcoin ransom payments from more than 90 victims by the end of 2023.
Swiss cybersecurity company PRODAFT said the financially motivated threat actor, also tracked as Vengeful Mantis, has been “mostly inactive since the start of the year” due to internal strife, with some of its operators scamming victims by collecting ransom payments without providing a working decryptor.
What’s more, key members of the Russia-linked cybercrime syndicate are said to have jumped ship to the CACTUS (aka Nurturing Mantis) and Akira ransomware operations.
“The internal conflict was driven by ‘Tramp’ (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBot,” PRODAFT said in a post on X. “As a key figure within BLACKBASTA, his actions played a major role in the group’s instability.”
Some of the salient aspects of the leak, which contains nearly 200,000 messages, are listed below –
- Lapa is one of the main administrators of Black Basta and involved in administrative tasks
- Cortes is associated with the QakBot group, which has sought to distance itself in the wake of Black Basta’s attacks against Russian banks
- YY is another administrator of Black Basta who is involved in support tasks
- Trump is one of the aliases for “the group’s main boss” Oleg Nefedov, who goes by the names GG and AA
- Trump and another individual, Bio, worked together in the now-dismantled Conti ransomware scheme
- One of the Black Basta affiliates is believed to be a minor aged 17 years
- Black Basta has begun to actively incorporate social engineering into their attacks following the success of Scattered Spider
According to Qualys, the Black Basta group leverages known vulnerabilities, misconfigurations, and insufficient security controls to obtain initial access to target networks. The discussions show that SMB misconfigurations, exposed RDP servers, and weak authentication mechanisms are routinely exploited, often relying on default VPN credentials or brute-forcing stolen credentials.
Another key attack vector entails the deployment of malware droppers to deliver the malicious payloads. In a further attempt to evade detection, the e-crime group has been found to use legitimate file-sharing platforms like transfer.sh, temp.sh, and send.vis.ee for hosting the payloads.
“Ransomware groups are no longer taking their time once they breach an organization’s network,” Saeed Abbasi, manager of product at Qualys Threat Research Unit (TRU), said. “Recently leaked data from Black Basta shows they’re moving from initial access to network-wide compromise within hours – sometimes even minutes.”
The disclosure comes as Check Point’s Cyberint Research Team revealed that the Cl0p ransomware group has resumed targeting organizations, listing organizations that were breached on its data leak site following the exploitation of a recently disclosed security flaw (CVE-2024-50623) impacting the Cleo managed file transfer software.
“Cl0p is contacting these companies directly, providing secure chat links for negotiations and email addresses for victims to initiate contact,” the company said in an update posted last week. “The group warned that if the companies continue to ignore them, their full names will be disclosed within 48 hours.”
The development also follows an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a wave of data exfiltration and ransomware attacks orchestrated by the Ghost actors targeting organizations across more than 70 countries, including those in China.
The group has been observed rotating its ransomware executable payloads, switching file extensions for encrypted files, and modifying ransom note text, leading the group called by other names such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.
“Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware,” the agency said. “Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.”
Ghost is known to use publicly available code to exploit internet-facing systems by employing various vulnerabilities in Adobe ColdFusion (CVE-2009-3960, CVE-2010-2861), Fortinet FortiOS appliances (CVE-2018-13379), and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, aka ProxyShell).
A successful exploitation is followed by the deployment of a web shell, which is then utilized to download and execute the Cobalt Strike framework. The threat actors have also been observed using a wide range of tools like Mimikatz and BadPotato for credential harvesting and privilege escalation, respectively.
“Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on additional systems on the victim network – often for the purpose of initiating additional Cobalt Strike Beacon infections,” CISA said. “In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.”
