Score one against the bad guys! According to a report, more than 200,000 of Black Basta’s internal communications have been leaked online!

As reported in Ars Technica (Leaked chat logs expose inner workings of secretive ransomware group, written by Dan Goodin and available here), the communications come in the form of logs of more than 200,000 messages members of Black Basta sent to each other over the Matrix chat platform from September 2023 to September 2024, researchers said. The person who published the messages said the move was in retaliation for Black Basta targeting Russian banks. The leaker’s identity is unknown; it’s also unclear if the person responsible was an insider or someone outside the group who somehow gained access to the confidential logs.

Last year, the FBI and Cybersecurity and Infrastructure Security Agency said Black Basta had targeted 12 of the 16 US critical infrastructure sectors in attacks mounted on 500 organizations around the world. One notable attack targeted Ascention, a St. Louis-based health care system with 140 hospitals in 19 states. Other victims include Hyundai Europe, UK-based outsourcing firm Capita, the Chilean Government Customs Agency, and UK utility company Southern Water. The native Russian-speaking group has been active since at least 2022.

“BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies,” a member of security firm Prodraft wrote last Thursday. “Keep burning our intelligence sources, we don’t mind.”

Researchers who have read the Russian-language texts said they exposed internal rifts in the secretive organization that have escalated since one of its leaders was arrested because it increases the threat of other members being tracked down as well. The heightened tensions have contributed to growing rifts between the current leader, believed to be Oleg Nefedov, and his subordinates. One of the disagreements involved his decision to target a bank in Russia, which put Black Basta in the crosshairs of law enforcement in that country.

The leaked trove also includes details about other members, including two administrators using the names Lapa and YY, and Cortes, a threat actor linked to the Qakbot ransomware group. Also exposed are more than 350 unique links taken from ZoomInfo, a cloud service that provides data about companies and business individuals. The leaked links provide insights into how Black Basta members used the service to research the companies they targeted.

Security firm Hudson Rock said it has already fed Black Basta’s internal communications into ChatGPT to create BlackBastaGPT, a resource to help researchers analyze Black Basta operations. Of course they did! 😁

I’m sure there will be more information to come regarding this story soon. A few of my friends in cyber may have something to say about this too. 🤩

So, what do you think? Do you think the fact that Black Basta’s internal communications have been leaked online will be the end of them? Please share any comments you might have or if you’d like to know more about a particular topic.

Image created using GPT-4’s Image Creator Powered by DALL-E, using the term “robot cybercriminal finding out looking at their desktop computer that they have been hacked”.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.