20 March 2025

9 min read

Cyber briefing note | The Black Basta leaks

Cyber security
Cyber briefing note | The Black Basta leaks placeholder thumbnail

Background

On 11 February, an unidentified individual using the moniker Шепот Басты aka ‘Basta’s Whisper’ leaked a collection of internal chat logs originating from various chat rooms used by the operators and members of the Black Basta ransomware group on Telegram. The leaks contained approximately 200,000 messages dated between September 18, 2023, and September 28, 2024.

The content provides a window into the group’s operations, and challenges among members which led to its ultimate decline. The significance of the leak comes down to the members of the group – long-time Russian ransomware operators – as well as the historic impact of the group, which used to be one of the most prolific ransomware groups in the industry. In this blog we’ll outline the main insights identified within the leaks and highlight key takeaways for cyber practitioners.

Who is Black Basta?

Black Basta is a ransomware-as-a-service group first identified in April 2022. Once considered one of the top ransomware groups, Black Basta claimed numerous high-profile victims around the globe and was known for high-impact and sophisticated attacks. An update to CISA’s advisory on the group published in November 2024 noted that the group had targeted at least 500 organizations around the world and targeted organizations in 12 of the United States’ 16 critical infrastructure sectors to date.

What happened

Timeline

  • 11 February – An unidentified individual created a Telegram group called “Basta’s Whisper” which provided access to the collection of leaked internal chats from the Black Basta ransomware group, expressing that the group’s administrator had ‘crossed the line’ by hacking Russian banks.
  • 20 February – The administrator of the “Basta’s Whisper” Telegram group promises to release additional information ‘in the near future’.
  • 21 February – Threat intelligence firm Hudson Rock release a BlackBastaGPT instance to support research of the leaked collection and making the content of the leaked chats widely accessible.1
  • 5 March – The administrator of the “Basta’s Whisper” Telegram channel published a dossier filled with personally identifying information and other details which claim to unmask the true identity of Black Basta’s senior manager or team leader as Oleg Evgenievich Nefedov. This has not been independently verified so far.
  • 13 March – The administrator of the “Basta’s Whisper” channel deleted the channel on the Telegram platform, making the original content inaccessible to new followers, though information remains accessible through BlackBastaGPT and private collections.

[1] Information within BlackBastaGPT is limited to the information available within the leaked chats which span from September 18, 2023, and September 28, 2024. This will not change unless additional information is added to the ChatGPT instance.

Insights from the Black Basta leaks

S-RM has identified the following key insights from the Black Basta leaked communications to date:

Targeting strategies and victim selection: Black Basta distinguishes itself from many ransomware groups by adopting a systematic and intelligence-driven approach to victim selection, as revealed in leaked internal communications. The group maintained a victim-tracking spreadsheet, likely containing financial data, known system vulnerabilities, key employee contact details for social engineering, and attack status updates. Analysis of internal discussions indicates a targeting strategy focused on network exploitability, with members referencing 62 different software vulnerabilities across their campaigns. Black Basta also scanned the internet for exposed Remote Desktop Protocol (RDP) connections and leveraged initial access brokers to infiltrate corporate environments.

Once potential victims were identified, the group prioritized organizations with a low tolerance for operational downtime and a high likelihood of paying a ransom. Payment probability assessments factored in organizational revenue, industry-specific payment trends, and cyber insurance coverage details to optimize extortion efforts. By combining broad-scale exploitation with manual validation and strategic prioritization, Black Basta demonstrated an adaptive and methodical threat model.

Extent of victim exposure in the leaked communications: Leaked communications from Black Basta showcased the group’s methodical approach to tracking and categorizing victims, resulting in the direct identification of victims through naming the organizations directly or sharing leaked credentials which include organization-specific identifiers. The leaked communications expose some sensitive details about approximately 17 ransom negotiations.

Notably, the communications name at least 29 organizations directly, although only 15 of these appear on the group's official leak site. This discrepancy indicates that the remaining organizations might have paid ransoms to avoid disclosure, or the attacks against them were either incomplete or unsuccessful. Other communications divulge limited but critical information about victims who negotiated with the group. Although the majority of communications focus on operational details, transcripts from 17 negotiation cases were identified, revealing initial ransom demands, confirmed settlements, and pressure tactics used by the group against specific victims. To date, S-RM has identified that four of these transcripts directly identify victims; the remaining transcripts reference organizations’ annual revenue or industry but do not include additional identifying details.

The leaked data also includes at least 242 breached credentials. About 61% of these credentials directly identify breached organizations through features like company email domains, internal usernames, or login portal references. The remaining 39% could be traced back to specific organizations with further investigation. The public exposure of ransom negotiations, victim identities, and breached credentials not only increases risks for affected organizations but may also lead to the identification of previously undisclosed Black Basta victims, shedding light on cases that were not publicly acknowledged by the group.

Ties to other ransomware operations: On March 5 the administrator of the “Basta's Whisper” Telegram account released a dossier allegedly revealing the identity of the ransomware group’s team leader. The dossier claims that the leader is a Russian national named Oleg Evgenievich Nefedov and associates him with several key aliases, including Tramp, Trump, GG and AA. If confirmed, the dossier not only discloses the true identity of Black Basta’s team leader, known in leaked chats under the username ‘GG’, but also indicates his involvement in major predecessor groups such as Conti and Revil. While the formation of new alliances is common and defunct groups often appear under new names, this dossier provides further evidence of such practices and underscores the importance of monitoring affiliate behaviors across ransomware groups. Although this new information has not yet led to the inclusion of Nefedov on the OFAC sanctions list, similar actions have occurred in the past with groups like LockBit.

Ties to Russian intelligence: The dossier unmasking Nefedov alleges that he is protected by high-ranking Russian politicians and key intelligence agencies, such as the FSB and GRU. Leaked chat messages seem to substantiate this allegation. In one conversation, a user identified as "GG" informed another group member, "Chuck," about their arrest and subsequent quick release, thanks to influential officials. This narrative appears to be consistent with Armenian news reports about the unusual circumstances of Nefedov’s release from custody in Armenia in June 2024.

While these claims have not been independently verified, establishing a direct link between a ransomware group leader and Russian intelligence would be a significant discovery. Security researchers have long speculated that Russian authorities have allowed ransomware groups to operate within Russia and CIS countries in return for cooperation and assurances not to target local businesses. However, Nefedov’s alleged connections to Russian intelligence could suggest a more profound relationship between ransomware gangs and state security services, raising national security concerns. The connection prompts questions about whether the group shared stolen information with the Russian state and to what extent the Black Basta’s targets were chosen based on national interests. These questions are particularly pressing given the group’s history of explicitly targeting numerous critical infrastructure organizations.

Impact of law enforcement operations targeting enabling services: Internal chats revealed discussions about the takedown of QakBot malware in August 2023 and its impact on their operations. The group appeared to follow the situation closely and reported challenges with delivering payloads following the takedown. In the absence of QakBot, the group was forced to rely on less effective manual infection methods such as more phishing and social engineering attacks, brute force attacks, and the testing and development of alternative ‘loaders’2, which could evade antivirus detection. The communications highlight the effectiveness of the Qakbot takedown operation in slowing down the group’s operations by forcing attackers to identify more time-consuming and manual workarounds for their attack methods.

Internal disorganization and conflict: Although the leaked communications do not provide visibility into the period after September 2024, there is evidence of internal disagreements over responsibilities, pay, and what approach the group should take towards targeting healthcare organizations. The chats also revealed inconsistency and wide variation in the amounts to charge affiliates for access to their panel, which likely led to distrust and discontent among members. This is not the first time leaked chats have revealed internal conflict within a ransomware group, the 2022 Conti leaks also showed similar levels of conflict and disfunction within the operation. These findings showcase the challenge all ransomware groups face with respect to long-term operability and could explain the group’s inconsistent behavior and noticeable decline in mid-2024.

[2] A loader is a component of malware that delivers and executes ransomware on a victim’s device.

Key takeaways

  • Black Basta used a methodical approach for selecting victims: While most of the same rules apply to Black Basta as with other ransomware groups, leaked communications did reveal that the group did conduct more specific targeting of ‘high priority’ organizations and regularly referenced a spreadsheet used to track victims of interest. Review of the leaks to date show that Black Basta appeared to prioritize organizations with low tolerance for business disruption and relatively high proportion of sensitive data. Top tier industries appear to include health care organizations, financial institutions, law firms and critical infrastructure organizations. These findings indicate that organizations in key sectors or which share these key characteristics will benefit from enhanced business continuity planning and additional tabletop exercising to ensure preparedness.
  • The reported team leader of Black Basta has been unmasked: Though it is too soon to tell what will happen as a result of the Black Basta leaks, the unmasking of other ransomware leaders, such as the leader of LockBit, Dmitry Yuryevich Khoroshev (LockBitSupp), resulted in the imposition of OFAC sanctions against the individual. To date Nefedov has not been listed on OFAC’s sanctions lists, however, developments with this story will be worth monitoring closely.
  • Leaked communications may identify previously undisclosed victims: Information identified by S-RM within the collection of leaked communications to date indicates that it is possible to identify previously undisclosed victims or targets of the Black Basta ransomware group either by identifying direct references to the organizations within the leaked communications, or by conducting targeted research on leaked credentials provided within communication transcripts. Although effects will differ by organization, the revelation of previously undisclosed victims could lead to financial losses, reputation harm and legal issues.
  • The content of the leaked communications remains available: Though the Telegram channel ‘Basta’s Whisper’ has been taken offline, numerous copies of the leaked communications likely exist through downloaded collections of the data obtained by research and media. Additional information about the leaked communications is also available through BlackRock’s BlackBastaGPT instance, which enables anyone to conduct structured research of the leak’s contents.

What does this mean for Black Basta?

Black Basta ransomware group have not listed a victim on their public leak site since 11 January 2025. The leaks most likely signify the dissolution of the group. Other ransomware organizations who experienced similar internal leaks, such as Conti Ransomware, disbanded shortly thereafter, reconstituting under new brand names. Therefore, S-RM assesses it is most likely that members of the group will work for other ransomware groups or develop new operations under a new identity in the future.

S-RM has already observed that certain Black Basta ransomware members appear to have moved to Cactus Ransomware based on the use of a version of BackConnect malware previously only seen in Black Basta attacks as well as other tactics, techniques and procedure (TTP) similarities like the use of social engineering attacks with email flooding for Microsoft Quick Assist access.

Guidance for Black Basta victims

Former victims of the Black Basta group who are not expecting their incident to be public, or who are looking to assess their level of exposure within the leaked data collection, could consider taking the following actions:

  • Proactively search BlackBastaGPT or engage a specialist to conduct an investigation into the leaked chats to identify information associated with the organization.
  • Monitor the deep and dark web for references to your organization and data to support early identification and response to publicly exposed information.

General ransomware mitigation guidance

Organizations seeking recommendations to protect themselves from ransomware groups like Black Basta ransomware, should consider the following checklist of mitigating actions:

  • Conduct a thorough vulnerability scan across all systems to confirm that critical security patches for externally exposed systems and known exploited vulnerabilities in the technology used have been applied.
  • Consider enforcing MFA across all remote access points, disabling unnecessary accounts and implementing role-based access control as widely as possible.
  • Review network access provided to third-party providers and ensure principles of least privilege and MFA are established for all associated accounts, and ensure appropriate logging and auditing is in place.
  • Conduct a security control validation exercise designed to simulate ransomware TTPs to support identification of key security gaps.
  • Review logging and monitoring posture to verify and increase log retention periods as much as feasible and to enable real-time monitoring on systems wherever possible to identify evidence of unusual activity within the network.
  • Review backup posture and data recovery strategies in place across the organization to ensure resiliency to ransomware incidents.
  • Update and test incident response plans for ransomware attacks to ensure team readiness.

These insights are derived from the following sources: local research of a copy of the leaked communications, ecrime.ch, structured queries of the BlackBastaGPT instance, and open sources. Please contact S-RM for additional information about the Black Basta leaks and remediation advice.

Edited by Dan Caplin

Authors

Share this post

Related insights

Placeholder thumbnail

27 March 2025

5 min read

Cyber threat advisory: Oracle Cloud breach
Read more
Placeholder thumbnail

25 March 2025

8 min read

Ransomware in focus: Meet NightSpire
Read more
Placeholder thumbnail

19 March 2025

14 min read

Cracking the Vault: Exposing the weaknesses of encrypted apps
Read more
More insights

Subscribe to our insights

Get industry news and expert insights straight to your inbox.

Regular bulletins

Weekly
Cyber Intelligence Briefing

Our weekly analysis of the top cyber security news stories hitting the headlines.

Read more
Monthly
ESG Watch

Stay on top of the latest ESG regulations and policies from around the globe with our monthly bulletin.

Read more
Monthly
Red Flag Bulletin

Published monthly, our Red Flag Bulletin provides you with updates on the latest financial, corruption and integrity issues worldwide.

Read more
Monthly
Global Risk Bulletin

Each month, we provide in-depth analysis into the top geopolitical risks from around the globe.

Read more