Over 200,000 internal messages from the notorious ransomware group Black Basta have surfaced online — exposing deep divisions, ransom negotiations, and internal dysfunction.
The leak, spanning a year’s worth of communications, was posted online by an anonymous user, reportedly in retaliation for the group’s attack on Russian financial institutions. Cybersecurity experts are now poring over the data, uncovering a rare inside look at how one of the most feared ransomware groups operates — and potentially unravels.
A glimpse inside Black Basta
Active since 2022, Black Basta has built a reputation for high-profile attacks using double-extortion tactics. The group typically encrypts victims’ data, threatening to leak it unless a hefty ransom is paid. Their targets have included major U.S. healthcare providers and U.K.-based Capita, among others.
The leaked messages reveal how the gang:
- Selects its targets.
- Executes attacks.
- Manages ransom negotiations.
Some members argue over whether to use targeted phishing or mass spam campaigns, while others vent frustrations about leadership. One particularly blunt exchange features a member calling a leader “an idiot,” hinting at growing instability within the group.
Ransoms, betrayal, and dirty money
The messages also expose the financial logistics of Black Basta’s operations.
In one instance, the group demanded $28.7 million from a victim, offering a steep discount for quick payment. The leak revealed how Black Basta laundered these payments, often using compromised bank accounts and cryptocurrency mixers to cover their tracks.
Adding to their woes, reports suggest some operators have scammed victims by taking ransom payments but failing to deliver working decryption tools. This kind of internal betrayal has led to members leaving the group. Cybersecurity analysts believe the gang has been largely inactive since early 2025.
The beginning of the end for Black Basta?
This leak follows a pattern seen before. In 2022, the Conti ransomware group collapsed after its internal communications were exposed. If history repeats itself, Black Basta could be headed for a similar fate.
Cybersecurity firm Prodaft has already noted a drop in activity from the group, and law enforcement agencies are likely using the leaked data to track down and disrupt remaining members. The breach serves as a reminder that even cybercriminals aren’t immune to betrayal and operations failures.
How businesses can protect themselves
To defend against ransomware groups like Black Basta, businesses should take proactive security measures, including:
- Implementing endpoint detection and response to detect and stop threats early.
- Conducting regular security audits to identify and fix vulnerabilities.
- Training employees on phishing awareness, a common ransomware entry point.
- Enforcing multi-factor authentication and network segmentation to limit damage.
- Creating an incident response plan to ensure quick action during an attack.
By prioritizing these steps, organizations can reduce their risk and improve resilience against cyber threats.
