Companies make mistakes that are hard to get over. Uber tried to cover up a 2016 breach affecting millions of drivers and customers. Internal investigators under new management later revealed that the company paid $100,000 to the attackers to delete the stolen data. Uber didn’t report the breach. There was a lot of internal turmoil and fallout over the company’s errant decisions.
These kinds of events are not limited to legitimate businesses. According to several news sources, on February 11, 2025, ransomware group Black Basta’s internal chat logs from September 18, 2023, to September 28, 2024 were leaked on the MEGA file-sharing platform. That same day, a user with the alias ExploitWhispers took credit for the leak via Telegram, a secure, private, cloud-based messaging app.
ExploitWhispers claimed on its Telegram channel @shopotbasta that they leaked the logs due to the ransomware group targeting Russian financial institutions. There is an informal code among Russian-speaking cybercriminals to avoid attacking domestic entities, potentially attracting unwanted attention from Russian authorities.
ExploitWhispers criticized the group’s alleged leader, Oleg Nefedov (alias Tramp, GG, and AA), for focusing on personal profits at the expense of the group’s unity, fueling internal conflicts. ExploitWhispers also asserted that Black Basta was faltering due to operational issues, including some members deceitfully collecting ransom payments without delivering functional decryption tools, with disputes over finances underscoring the group’s unraveling state.
When ransomware groups like Black Basta encrypt (scramble) an organization’s data, the ransom demand includes the promise of a tool to decrypt the data. If the tools don’t work, the company paid the ransom for nothing, and they may not regain access to their data.
According to Jeremy Kirk, an analyst with Intel 471, a Wilmington, DE-based cyber threat intelligence company, little is known about the user alias ExploitWhispers. “This nickname was new. But ExploitWhispers appeared to possess deep insider knowledge or direct access to Black Basta. The use of a female pronoun in the original Russian-language post suggests that this individual may identify as a woman, or used the pronoun to confuse people,” said Kirk.
According to several news sources and cybersecurity blogs, Black Basta has not listed a victim on their public leak site since January 11, 2025, and the leak site link on the dark web is down. Black Basta members and affiliates have left for other ransomware organizations, such as the Cactus ransomware group, as Black Basta operations have ended, according to reports. The evidence that Black Basta members moved to Cactus includes using the same attack tools, such as the BackConnect module for remote access. BackConnect is a remote access tool that criminal hackers use to gain access to a victim’s computer from a distance.
What Was In the Leaked Chat Logs?
“Our analysts could not substantiate the purported attacks against Russian banks despite it being stated as the motivation from ExploitWhispers to leak the chat logs,” said Kirk.
However, the leaked chat logs contained one major surprise: 533 Russian IP (Internet protocol) addresses, according to Mil Rajic, the multi-stakeholder ransomware SIG lead of The Forum of Incident Response and Security Teams (FIRST). The Russian IP addresses appear alongside IP addresses from typical Russian targets such as the U.S. (1,866 IPs), Germany (274 IPs), Canada (191 IPs), and the UK (119 IPs), according to Rajic.
Observed Intel 471’s Kirk, “Black Basta appeared not to attack companies in countries friendly to Russia. However, in October 2023, it attacked a South Korea-based automotive parts company. Many of the compromised systems allegedly belonged to the company’s Russia-based office, but Black Basta group members purportedly decided to proceed with the attack.”
Concerning Black Basta’s internal conflicts over money, Halit Alptekin, chief intelligence officer for PRODAFT, a cyber threat intelligence company based in Istanbul, Turkey, said, “LARVA-18 [Oleg Nefedov] acted as a strict leader, a necessary quality in ransomware groups where the pursuit of money often inflates egos and leads to internal conflicts. These conflicts contributed to some instability within the group.” (LARVA-18 was another alias for Tramp, AA, and GG.)
Regarding ExploitWhispers’ other claims, Alptekin said, “The leaked chat logs do mention problems with the encryption process. While this could point to an operational issue, considering that the leaks may stem from internal conflict, some operators may use this as leverage to damage the group’s reputation. These actions are common during periods of instability, such as exit scams or group shutdowns.”
Exit scams mean scamming victims/partners before exiting the ransomware group. Group shutdowns indicate Black Basta’s decline post-leak. Encryption-decryption issues could indicate a mix of real issues and deliberate sabotage.
Why Russian Cybercriminals Don’t Attack Russian Targets
“Russia allows professional cybercrime gangs to operate within its borders as long as they do not cause domestic incidents, so these groups and actors direct their intrusions outside of Russia’s borders and also exclude CIS countries,” said Kirk. CIS countries are the Commonwealth of Independent States, a regional intergovernmental organization formed after the dissolution of the Soviet Union.
According to Kirk, the Russian state expects cybercriminals in Russia to aid it and its intelligence agencies upon request, a quid pro quo that has been documented over many years, such as in the cases of Evgeniy Bogachev, the Yahoo email breach, and the Trickbot malware and Conti ransomware groups.
Bogachev’s criminal infrastructure gathered intelligence on targets like Ukraine and U.S. agencies, in a quid pro quo for which the Russian state tolerated his criminal activity. In the Yahoo email breach, criminal hackers worked with Russian intelligence officers who protected them from prosecution, according to published reports. The Trickbot and Conti ransomware groups supported the Russian government in exchange for operational freedom, reports said.
“The foundation for these relationships is institutionalized corruption, where the state—which has the power to conduct raids, audits, and other forms of harassment—can coerce cybercriminal actors into paying protection money, participating in state-directed cyber operations such as espionage or data theft, and supporting state narratives through hacktivist or misinformation campaigns,” said Kirk.
ExploitWhispers’ Chat Log Access
Keegan Keplinger, a security researcher at cybersecurity company SpyCloud, said, “It’s not known how ExploitWhispers got access, but they appear to have enough insider knowledge that they could have been a member of one of the various teams that had access to the chat as a result of a partnership with Black Basta.
“Otherwise, they would have had to exploit the Matrix server or socially engineer one of the members. The retaliatory nature of ExploitWhispers’ rhetoric suggests they were already inside the Matrix chat.”
The Black Basta chat server used the open-source Matrix protocol to host chats. Without existing access, someone, ExploitWhispers or someone cooperating with them, would have had to have hacked into the Matrix server or tricked a Black Basta member into giving them access. ExploitWhispers was likely a member of that group.
Repercussions
“The biggest repercussion is that Black Basta seems to have gone underground, and may be forced to either rebrand, splinter into sub-groups, or realign with other ransomware groups in the near-to-mid-term,” said Justin Timothy, principal threat intelligence analyst at cybersecurity company GuidePoint Security.
The information from the chat leaks makes it hard for Black Basta to use their current ransomware techniques, tactics, and procedures, hosting providers, tools, and crypto wallets without security researchers correlating their future activities to them or their associated affiliates, according to Jambul Tologonov, a security researcher at cybersecurity company Trellix.
The leaks allowed researchers to map Black Basta’s attack methods precisely. Future attacks are prohibitively expensive for the ransomware members wherever they go. Either they will use what they have and will be readily detected and defeated, or they will need to suffer the expense of building or buying new tools and infrastructure.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment