Photo credit: arstechnica.com
A significant leak comprising 190,000 chat messages exchanged among members of the Black Basta ransomware group reveals the intricate structure and efficiency of this organized entity, which is equipped with specialists in various domains such as exploit development, infrastructure enhancement, and social engineering.
This cache of communications was initially uploaded to the file-sharing service MEGA before being shared on Telegram in February 2025. The chat messages span from September 2023 to September 2024. A figure known only as ExploitWhispers claimed responsibility for the leak and provided insights that help contextualize the exchanged messages. The identity of ExploitWhispers is still unknown, and the timing of the leak aligned with the puzzling downtime of the Black Basta website on the dark web, which has yet to resume operations.
“We need to exploit as soon as possible”
Security analysts from Trustwave’s SpiderLabs examined the leaked messages, which were written in Russian, and released both a succinct blog summary and an in-depth report discussing their findings.
The analysis indicates that the dataset provides significant insights into Black Basta’s operational processes, decision-making frameworks, and team interactions. It presents a raw look at the operations of one of the most active ransomware factions, drawing comparisons to the notorious leaks from the Conti group. Previous revelations from Conti exposed discontent among its members regarding low wages, excessive working hours, and dissatisfaction with leadership, especially concerning the group’s political stance during Russia’s invasion of Ukraine. The researchers noted, “While the leak’s immediate effects are still unclear, exposing the internal mechanisms of Black Basta offers a valuable chance for cybersecurity experts to adjust their strategies and countermeasures.”
Among the tactics, techniques, and procedures (TTPs) utilized by Black Basta were strategies aimed at conducting social engineering on employees of potential targets by masquerading as IT support personnel addressing supposed issues or responding to fictitious security breaches.
Source
arstechnica.com