A leak of 190,000 chat messages that are traded among members of the Black Basta Ransomware Group shows that it is a very structured and usually efficient organization that is staffed by staff with expertise in various specialties, including exploit development, infrastructure optimization, social engineering and more.
The Trove of Records was posted for the first time on the Mega site. The messages, sent from September 2023 to September 2024, were later posted on Telegram in February 2025. ExploitWHispers, the online persona who took the honor for the leak, also commented and context for understanding communication. The identity of the person or persons behind exploitwhispers remains unknown. Last month's leak coincided with the inexplicable outages of the Black Basta site on the dark web, which has remained since then.
“We have to operate as soon as possible”
Researchers from the Spider Labs of Security Firm Trustwave have written the messages that are written in Russian, and published a short blog summary and a more detailed review of the messages on Tuesday.
“The dataset sheds light on the internal workflows of Black Basta, decision-making processes and team dynamics and offers an unfiltered perspective on how one of the most active ransomware groups works behind the scenes and draws parallels with the infamous conti-leaks,” the researchers wrote. She referred to a separate leak of ransomware group Conti that exposed employees to low wages, long hours and complaints about support from leaders for their support to Russia in the invasion of Ukraine. “Although the immediate impact of the leak remains uncertain, the exposure of the inner functioning of Black Basta is a rare opportunity for cyber security professionals to adapt and respond.”
Some of the TTPs – shorts for tactics, techniques and procedures – that Basta were employed were aimed at methods for employees of social engineering that work for potential victims by posing as IT managers trying to solve problems or respond to fake fractures.
