Full Report
More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented visibility into their tactics and internal conflicts among its members. The Russian-language chats on the Matrix messaging platform between September 18, 2023, and September 28, 2024, were initially leaked on February 11, 2025, by an
Analysis Summary
# Threat Actor: Black Basta
## Attribution & Identity
- **Primary Name:** Black Basta
- **Attribution:** Russia-linked cybercrime syndicate
- **Known Aliases/Associated Groups:** Vengeful Mantis (tracked as an alias). Key members are linked to the defunct Conti ransomware scheme, and some subsequent affiliates joined CACTUS (aka Nurturing Mantis) and Akira ransomware operations.
- **Key Individuals Mentioned:**
- **Oleg Nefedov:** Known as the group's main boss, uses aliases GG, AA, and Trump (LARVA-18). He also operated within the Conti scheme.
- **Tramp (LARVA-18):** A known threat actor operating a QBot spamming network, cited as a driver of internal instability.
- **Lapa:** Main administrator involved in administrative tasks.
- **YY:** Administrator involved in support tasks.
- **Bio:** Worked alongside Trump (Oleg Nefedov) in Conti.
## Activity Summary
Black Basta first emerged in April 2022. They are a financially motivated, double-extortion ransomware group. Leak data covers chats from September 2023 to September 2024. By the end of 2023, they were estimated to have netted at least $107 million from over 90 victims through Bitcoin ransom payments. The group has been largely inactive since the start of the current year (as of the article date) due to internal strife, including operators scamming victims, leading some key members to defect to CACTUS and Akira operations. The recent leak was published by 'ExploitWhispers' in protest after Black Basta targeted Russian banks.
## Tactics, Techniques & Procedures
- **Initial Access:** Leveraging known vulnerabilities, misconfigurations, and insufficient security controls.
- Exploiting SMB misconfigurations.
- Exploiting exposed RDP servers.
- Exploiting weak authentication mechanisms (relying on default VPN credentials or brute-forcing stolen credentials).
- Deploying malware droppers for payload delivery.
- **Evolution:** Began actively incorporating social engineering techniques following the success of Scattered Spider.
- **Evasion/C2:** Using legitimate file-sharing platforms for hosting payloads (e.g., transfer.sh, temp.sh, send.vis.ee).
- **Speed:** Moving rapidly from initial access to network-wide compromise, sometimes within minutes.
## Targeting
- **Sectors:** Private industry and critical infrastructure entities.
- **Geography:** North America, Europe, and Australia.
- **Victims:** Estimated to have targeted more than 500 organizations.
## Tools & Infrastructure
- **Initial Access Tool:** QakBot (QBot) was used historically as a delivery vehicle.
- **Ransomware:** Black Basta proprietary ransomware.
- **Infrastructure:** Payload hosting on legitimate services: `transfer.sh`, `temp.sh`, `send.vis.ee`.
## Implications
The leaked internal communications provide unprecedented insight into the operational structure, key actors, and internal conflicts of a major ransomware group. The instability suggests a potential splintering of the group, which may lead to affiliates joining other existing ransomware operations (like CACTUS or Akira), potentially boosting those groups' capabilities or leading to copycat activity. The rapid "hands-on-keyboard" activity profile indicates a high-pressure environment focused on speed of compromise.
## Mitigations
- Harden RDP configurations and eliminate exposed RDP instances.
- Audit and correct SMB configuration weaknesses.
- Enforce strong, unique authentication mechanisms, especially for VPNs, and monitor for brute-force attempts.
- Monitor for the deployment of malware droppers.
- Be aware of extortion attempts potentially originating from defectors or splinter cells of this group.