The recent leak of internal chat logs from the BlackBasta ransomware gang has sent shockwaves through the cyber threat intelligence community. Prodaft, a Netherlands-based threat intelligence firm, revealed on February 20 that these chatlogs, originally posted on file sharing site MEGA by an individual using the moniker ExploitWhispers, have now found their way to a dedicated Telegram channel. The leaked files, which contain 196,045 messages all written in Russian, provide a rare glimpse into the operations and inner workings of one of the most notorious ransomware groups in recent years.
According to experts, BlackBasta is believed to be a merger of two now-defunct ransomware groups, Conti and REvil. Yelisey Bohuslavskiy, Partner and Chief Research Officer at Red Sense, has suggested that BlackBasta emerged as a result of the dissolution of these two groups, with key members coming together to form a new entity with a shared mission of cyber extortion.
The leaked chat logs, spanning from September 18, 2023, to September 28, 2024, contain valuable information for threat intelligence analysts. They detail the relationships between key threat actors, the group’s access to internal networks, and other significant insights that shed light on BlackBasta’s operations. It is believed that the leak originated from within the group itself, although the identity and motives of ExploitWhispers, the leaker, remain shrouded in mystery.
One of the most intriguing revelations from the leaked chat logs is the internal conflict within BlackBasta that ultimately led to the group’s disbanding. Prodaft researchers have pointed to a key figure within the group, known as ‘Tramp’ or ‘Trump,’ whose actions sparked major disputes and caused several key members to exit the group. Allegations of favoritism, financial mismanagement, and toxic work environment were cited as internal pressures that contributed to the group’s downfall.
Externally, BlackBasta also faced scrutiny for a risky brute-force attack on Russian banks, a move that raised eyebrows and may have drawn unwanted attention from authorities. This attack, coupled with internal conflicts, prompted some former BlackBasta operators to join other ransomware groups, such as Cactus and Akira. The shifting landscape of the ransomware ecosystem, with operators frequently moving between groups based on financial incentives and internal dynamics, is an ongoing challenge for cybersecurity experts.
Overall, the leak of BlackBasta’s internal chat logs has provided invaluable insights into the world of ransomware operations. As threat actors continue to evolve and adapt their tactics, the need for strong cybersecurity measures and collaboration among security professionals becomes increasingly crucial in the ongoing fight against cybercrime.