Unpacking the Black Basta Leak

In the world of cybercrime, ransomware groups operate in the shadows, extorting millions from businesses and individuals. One such notorious group is Black Basta, a ransomware as-a-service (RaaS) operation that emerged in 2022. The Black Basta leak is one of the most significant data breaches in the cybercriminal underground, exposing the inner workings of one of the most notorious ransomware groups. This trove of internal chat messages, spanning from September 2023 to June 2024, offers unprecedented insight into their operations, infrastructure, and tactics.

This article provides a technical and detailed analysis of the Black Basta leak, including the origins and context of the leak, an overview of Black Basta’s history and cyber activities, references to the contents of the leaked chat messages and their relevance, notable CVEs and GitHub repositories mentioned in the leak, and how security researchers can use the data to protect organizations. The analysis provided was conducted by Armis Labs using HUMINT, AI, and ML for independent research, ensuring accuracy without relying on GPT sources that might hallucinate the findings.

Lastly, we will see how the competitive advantage given by the intelligence of Armis Centrix™ for Early Warning stacked against BlackBasta’s operations. Spoiler alert? Armis Centrix™ for Early Warning defended against almost 90% of the CVEs Black Basta used in their attacks, 60% of which were not on CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

The Black Basta Leak: Origins, Release, and Impact

The Black Basta chat messages leak consists of extensive internal conversations (approximately 200,000 messages) among members of the ransomware group, spanning from September 2023 to June 2024​​. The leak was allegedly released by a disgruntled affiliate or a rival actor, exposing operational tactics, discussions on hacking tools, financial transactions, and victim negotiations.

The chat logs, primarily from the Matrix messaging platform (matrix.bestflowers247[.]online), appeared on underground forums and were later distributed through multiple sources, including dark web channels and cybersecurity researchers​​. Data was released by an individual using the handle “ExploitWhispers” on February 11, 2025. The leaker claimed the release was in retaliation for Black Basta’s attacks on Russian banks and the authenticity of the leaked chats has been supported by multiple security researchers, who noted that the content aligns with known events and facts related to Black Basta’s activities.

Who is Black Basta?

Black Basta is a Russian-speaking ransomware group that first appeared in April 2022. The group has since carried out high-profile attacks on companies across various industries, employing double extortion tactics (i.e. encrypting data and leaking it if the ransom is not paid).

Their modus operandi follows the typical Ransomware-as-a-Service (RaaS) model, where affiliates use the malware to conduct attacks in exchange for a share of the ransom. Key tactics included initial access (phishing, stolen credentials, and exploiting Remote Desktop Protocol (RDP) vulnerabilities​), privilege escalation (abuse of Windows domain controllers and Active Directory​), lateral movement (use of Cobalt Strike, Mimikatz, and PsExec​), and data exfiltration.

Since its emergence in early 2022, the Black Basta ransomware group has targeted over 500 organizations worldwide, affecting various sectors, including critical infrastructure. Notable victims include Capita, ABB, and Dish Network. The group has also targeted healthcare organizations, with the Catholic healthcare system Ascension experiencing disruptions across 140 hospitals in May 2024. Financially, Black Basta has extorted at least $107 million in Bitcoin ransom payments from over 90 victims, with the largest known payment being $9 million. The group primarily focuses on organizations in the United States, which account for approximately 61.9% of their victims, followed by Germany at 15.8%.

What’s Inside the Black Basta Leak?

The Black Basta data leak consists of internal chat messages that provide a detailed look into their cybercrime operations, including attack planning and execution (i.e. discussions on target selection, exploit usage, and ransomware deployment), compromised credentials and infrastructure (with lists of stolen VPN, RDP, and SSH identities to corporate networks), malware and exploits (i.e. references to custom malware, PowerShell scripts, and exploits for CVEs and more), and even ransom payment logistics (i.e. coordination of negotiations, extortion tactics, and laundering methods).

This leak offers critical intelligence for law enforcement, cybersecurity professionals, and threat intelligence researchers, providing a rare inside look at a major ransomware operation, including several key actors within the group, each playing a distinct role in their operations. Notable individuals are Usernamegg (Operational Coordinator & Infrastructure Management), Lapa (Exploit Developer & Malware Operator), Chuck (Network Access Broker & Proxy Provider) Usernameugway (Social Engineering & Initial Access Facilitator), Usernamess (Infrastructure & Remote Access Management), and N3auxaxl (Triage & Execution).

Several CVE vulnerabilities were mentioned in the chats, indicating known weaknesses the group exploited. In particular, in the leaked data there are 62 CVEs mentioned in total, of which some notable CVEs are:

Besides CVEs, the leak has references to a significant number of interesting GitHub repositories (more than 100). Some of the more notable are:

Lastly, the leaked chat messages – which covered a period of only one year – revealed the extensive reach of the threat actor’s criminal operations. The messages contained references to a staggering 1868 unique Internet domains spread across 84 countries. This highlights the global nature of the threat and the prolific activity of the actor in targeting victims across a wide range of locations. The sheer number of domains involved emphasizes the scale of the operation and the potential for widespread damage and disruption caused by the threat actor’s activities.

To summarize, the leak provides security professionals with an unprecedented insight into the tactics, techniques and procedures used by the ransomware group to carry out their operations. More on this below.

How Security Researchers and Practitioners Can Use the Leak

The leaked Black Basta chat logs provide security researchers and practitioners with a rare opportunity to gain deeper insights into the inner workings of a major ransomware group. By analyzing the conversations, researchers can identify the group’s tactics, techniques, and procedures (TTPs), uncovering patterns in how they select and compromise their victims. These insights can help refine threat intelligence models and improve detection mechanisms, allowing organizations to proactively defend against similar attacks in the future.

Mapped against the framework MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), the most prevalent TTPs discussed in the leak are:

• Initial Access (T1078, T1566): the group utilizes stolen credentials and phishing techniques to gain access to target systems.
• Execution (T1059.005): the use of scripts (including Visual Basic Script and JavaScript) and the execution of malicious DLLs are evident in the leak.
• Persistence (T1078): the group maintains access through SSH and RDP (Remote Desktop Protocol) with stolen credentials. Numerous credentials are shared in the chats, showing a reliance on valid accounts for persistent access.
• Privilege Escalation (T1078, T1110): the logs show attempts to brute-force credentials and exploit misconfigured systems, including mentions of systems where “any password is accepted”.
• Defense Evasion (T1218, T1562): attempts to avoid detection by leveraging legitimate utilities for malicious purposes. Additionally, there is a focus on avoiding detection during link scans and adjusting phishing emails to bypass security measures.
• Credential Access (T1003, T1555): the group is involved in credential harvesting and plaintext credentials shared in chat logs.
• Discovery (T1049, T1087): the chats include discussions about identifying IP addresses of services like Jenkins, as well as scanning for other open services, likely using tools like Shodan.
• Lateral Movement (T1078, T1021.001): there is evidence of the use of RDP and SSH for lateral movement within networks.
• Collection (T1560): the threat actors mention specific files needed from compromised systems and discuss file transfer methods.
• Command and Control (T1090): the use of SOCKS proxies and C2 (command and control) channels are broadly discussed, indicating infrastructure set up for maintaining communication with compromised systems.
• Exfiltration (T1041): the group discusses downloading large data sets and transferring them using custom file servers, suggesting that they exfiltrate data to their own infrastructure.
• Impact (T1486, T1490): the mention of file lockers suggests ransomware deployment, aligning with typical ransomware tactics to encrypt victim data.

These TTPs highlight a sophisticated approach involving credential theft, phishing, exploitation of misconfigurations, use of legitimate tools for evasion, and execution of ransomware as the final step. But, going beyond tactics, techniques, and procedures, the leak also reveals internal conflicts and operational challenges within Black Basta, shedding light on the group’s hierarchy, decision-making processes, and the tools they rely on.

For incident response teams, the chat logs provide valuable forensic data that can help correlate past intrusions with the threat actors’ methodologies. If an organization was previously attacked by Black Basta, cross-referencing the logs with internal security data could uncover additional details about the attack, such as entry points, lateral movement strategies, and exfiltration techniques.

Additionally, cybersecurity awareness training content generation can benefit from real-world examples found in the leaked communications. The messages highlight social engineering strategies and negotiation tactics used by ransomware operators, giving security teams an authentic resource for educating employees on how to recognize and respond to cyber threats. By leveraging the intelligence from the Black Basta leak, security practitioners can enhance their defenses, refine investigative approaches, and strengthen organizational resilience against future ransomware attacks.

How Enabling Proactive AI-driven Detection by Armis Centrix™ for Early Warning Can Help Risk Detection and Mitigation

The analysis of the Black Basta data leak provides valuable insights into how different security measures performed against the group’s operations, despite the group no longer being active. This exercise is particularly effective due to the wealth of information made available through the leaked data.

One key area of interest is the comparison between the performance of Armis Centrix™ for Early Warning and more traditional intelligence sources. The data shows a significant advantage for Armis customers. Of the 62 CVEs mentioned by Black Basta associates in the leaked communications, Armis Centrix™ for Early Warning alerted customers to 89% of them. Furthermore, 58% of Black Basta leveraged CVEs were provided earlier than CISA (with their KEV catalog), highlighting the speed and effectiveness of Armis’s early warning system in comparison to traditional sources.

Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risks effectively. By leveraging AI-driven actionable intelligence, Armis Centrix™ provides insights into vulnerabilities that threat actors are exploiting in the wild or are about to weaponize, allowing organizations to understand their impact and take preemptive action. 

Learn more about Armis Centrix™ for Early Warning or request a demo today.