A major leak of Black Basta’s internal chat logs on February 11, 2025, has exposed significant internal conflicts, leadership instability, and financial fraud within the ransomware group. The leak, allegedly triggered by their attacks on Russian banks, has led to a decline in their operations, mirroring past incidents like the Conti leaks. Key members defected to rival groups like Cactus Ransomware, further weakening Black Basta. The chat logs also provide insights into tactics, techniques, and procedures (TTPs) used by the group, including ransomware deployment, phishing campaigns, and VPN exploitation.
The leaks reveal Indicators of Compromise (IoCs) such as IP addresses, domains, hashes, and malicious files, which can help organizations detect and defend against Black Basta’s activities. Additionally, they expose the gang’s ransom negotiation strategies, infrastructure, and financial operations, including cryptocurrency wallets used for payments.