A trove of chat logs allegedly belonging to the Black Basta ransomware group has leaked on-line, exposing key members of the prolific Russia-linked gang.
The chatlogs, which embrace over 200,000 messages spanning from September 18, 2023, to September 28, 2024, have been shared with menace intelligence firm Prodaft by a leaker. The cybersecurity agency says the leak comes amid “inner battle” throughout the Black Basta group after some members allegedly failed to offer its victims with useful decryption instruments regardless of paying a ransom demand.
It’s not but identified if the leaker, who makes use of the alias “ExploitWhispers” on Telegram, was a member of the Black Basta gang.
Black Basta is a prolific Russian-language ransomware gang, which the U.S. authorities has linked to hundreds of attacks on critical infrastructure and global businesses, whose publicly identified victims embrace U.S. healthcare organization Ascension, U.K. utility company Southern Water, and British outsourcing giant Capita. The leaked chat logs give a never-before-seen look contained in the ransomware gang, together with a few of its unreported targets.
In accordance to a post on X by Prodaft, the leaker mentioned that the hackers “crossed the road” by concentrating on Russian home banks.
“So we’re devoted to uncovering the reality and investigating Black Basta’s subsequent steps,” the leaker wrote.
Focused victims, exploits, and a teenage hacker
TechCrunch obtained a replica of the hackers’ chat logs from Prodaft, which comprise particulars about key members of the ransomware gang.
These members embrace “YY” (Black Basta’s essential administrator); “Lapa” (one other of Black Basta’s key leaders); “Cortes” (a hacker linked to the Qakbot botnet); and “Trump” (often known as “AA” and “GG”).
The hacker “Trump” is believed to be an alias utilized by Oleg Nefedovaka, who Prodaft researchers describe as “the group’s essential boss.” The researchers linked Nefedovaka to the now-defunct Conti ransomware group, which shut down soon after its internal chat logs leaked following the gang declaring its help for Russia’s full-scale invasion of Ukraine in 2022.
The leaked Black Basta chat logs additionally quote one member as saying they’re 17-years-old, TechCrunch has seen.
By our rely, the leaked chats comprise 380 distinctive hyperlinks associated to firm data hosted on Zoominfo, an information dealer that collects and sells entry to companies and their staff, which the chatlogs present the hackers used to analysis the businesses they focused. The hyperlinks additionally give some indication of the variety of organizations focused by the gang through the 12-month interval.
The chat logs additionally reveal unprecedented insights into the group’s operations. The messages embrace particulars on Black Basta’s victims, copies of phishing templates used of their cyberattacks, a few of the exploits utilized by the gang, cryptocurrency addresses related to ransom funds, and particulars about ransom calls for and victims’ negotiations with hacked organizations.
We additionally discovered chat logs of the hackers discussing a TechCrunch article about ongoing Qakbot exercise, despite an earlier FBI takedown operation aimed at knocking the notorious botnet offline.
TechCrunch additionally discovered chat logs that named a number of beforehand unknown focused organizations. This consists of the failed U.S. automotive giant Fisker; healthtech supplier Cerner Corp, which is now owned by Oracle; and U.Okay.-based journey agency Hotelplan. It’s not but identified if the businesses have been breached, and not one of the corporations responded to TechCrunch’s inquiries.
The chat logs seem to indicate the gang’s efforts in exploiting security bugs in enterprise network devices, reminiscent of routers and firewalls that sit on the perimeter of an organization’s community and act as digital gatekeepers.
The hackers boasted their potential to take advantage of vulnerabilities in Citrix distant entry merchandise to interrupt into at the least two firm networks. The gang additionally talked about exploiting vulnerabilities in Ivanti, Palo Alto Networks and Fortinet software program to hold out cyberattacks.
A dialog between Black Basta members additionally means that a few of the group have been anxious about being investigated by Russian authorities in response to geopolitical pressures. Whereas Russia has lengthy been a secure haven for ransomware gangs, Black Basta was additionally involved about actions introduced by the U.S. authorities.
Messages despatched after the group’s breach of Ascension’s programs warned that the FBI and CISA are “100% obliged” to get entangled and will result in the companies “taking a troublesome stance on Black Basta.”
Black Basta’s darkish internet leak website, which it makes use of to publicly extort victims into paying the gang a ransom demand, was offline on the time of publication.