The internal log data of the Black Basta ransomware gang between September 2023 and September 2024 was recently leaked. The data provide interesting insight into the gang’s tools, victims, and sharing of stolen information.
Recently, the hacker ExploitWhispers shared an archive of internal Matrix chat logs from the Black Basta ransomware gang on the MEGA file-sharing platform and later via a Telegram channel. Security experts at PRODAFT stated this in a post on X.
Leaked data
The archive in question contains chat logs from the ransomware gang between Sept. 18, 2023, and Sept. 28, 2024. This veritable gold mine contains data such as phishing templates, emails to send them, cryptocurrency addresses, data drops, victims’ login credentials, and confirmations of tactics used.
In addition, the leaked information includes 367 unique ZoomInfo links with victim data. Hackers often share information internally or with victims during negotiations on the ZoomInfo platform.
Other leaked data involved information about members of Black Basta, including Lapa, one of the admins, and hacker Cortes, who is also linked to Qakbot. Other hackers about whom the information has come out include YY, Black Basta’s main admin, and Trump, or Oleg Nefedovaka, the leader of the hacker gang.
Internal conflict within Black Basta
The ransomware gang’s data may have hit the streets because of an internal conflict, PRODAFT security experts indicate. The cause is said to be that some members had a problem with attacks on Russian banks.
Black Basta has been largely inactive this year. This is possibly due to internal quarrels, with some members extorting victims without eventually providing functional decryptors after payment.
Also, early this year, prominent members of Black Basta reportedly switched to the ransomware gang Cactus (Nurturing Mantis) and other cyber gangs.
This is not the first time internal data from ransomware gangs has been exposed on the street. In February 2022, a security researcher from Ukraine leaked more than 170,000 internal chat conversations and the source code of the infamous Conti ransomware gang. This happened after the Conti cybercriminals expressed support for the Russian raid.
Also read: Belgian brewery Duvel Moortgat’s data made public because company refused to pay