The once notorious Black Basta ransomware group seems to have hit a roadblock in 2025, with a significant drop in activity. Recent leaks of chat logs suggest that internal disagreements and conflict among group members may be the root cause of this decline.
In 2024, Cyble threat intelligence researchers documented 189 victims of Black Basta. However, as of two months into 2025, this number has plummeted to just eight. The leaked chat logs, shared by a Telegram user known as ExploitWhispers, shed light on the discord within the group, particularly regarding disagreements over potential targets.
While the internal strife within Black Basta may offer some insights into its weakened state, a more valuable examination lies in the revelation of the group’s tactics, techniques, and procedures (TTPs). By analyzing nearly 200,000 chat messages exchanged between September 2023 and September 2024, researchers have been able to extract indicators of compromise (IoCs) and other valuable intelligence.
The leaked chat logs uncovered new information about Black Basta, including discussions on previously unreported vulnerabilities and tactics employed by the group. Black Basta made its debut in April 2022, believed to have been formed by ex-members of ransomware groups Conti and REvil. Since then, Cyble has identified 528 victims targeted by the group.
The chat logs provide valuable insights into Black Basta’s TTPs. The group often exploits compromised remote access points such as Remote Desktop Protocol (RDP) and VPN credentials for initial access. They also deploy malicious scripts, utilize obfuscation and encryption techniques, and employ various tools and kits for evasion and persistence.
Furthermore, the chat logs reveal a long list of vulnerabilities targeted by Black Basta members, ranging from software vulnerabilities to network devices and IT tools. Notable CVEs discussed include those affecting Microsoft Windows, Spring Framework, Google Chrome, and various other platforms and applications.
In addition, the leaked chat logs disclose a range of indicators of compromise (IoCs) associated with Black Basta, including ransomware files, malware samples, IP addresses used for C2 communication, and compromised credentials. The group has been linked to several malware families, including RemcosRAT, AgentTesla, FormBook, and GuLoader.
The leak of Black Basta’s chat logs is considered one of the most significant ransomware group leaks since the Conti source code leak in 2022. Although the internal conflicts within the group have garnered attention, the detailed tactical information revealed in the logs serves as a valuable resource for threat intelligence researchers and security teams combatting threats from Black Basta and similar groups.
Overall, the leaked chat logs provide unprecedented insight into the inner workings of Black Basta and offer a wealth of actionable intelligence for those tasked with defending against cyber threats in the ever-evolving landscape of ransomware attacks.