Leaked Chats Suggest Black Basta Ransomware Gang Has Ties to Russian Authorities

Cybercriminal Group's Internal Messages Reveal Possible Government Connection

A fresh analysis of leaked chat logs suggests that the Black Basta ransomware gang may have links to Russian authorities.

Black Basta, a Russian-speaking ransomware-as-a-service (RaaS) operation, emerged in April 2022 and has targeted hundreds of organizations worldwide. However, its operations have recently slowed due to a major internal data leak.

Over 200,000 Internal Messages Exposed

???? A Telegram user (@ExploitWhispers) leaked over 200,000 internal messages from Black Basta's private communications last month.
???? The leak was reportedly triggered by allegations that Black Basta attacked Russian banks, though this claim remains unverified.

Possible Government Protection?

Cybersecurity firm Trellix analyzed the leaked messages and uncovered evidence that Black Basta's leader, Oleg Nefedov (aka GG or Tramp), may have received help from Russian authorities:
???? Nefedov was detained in Armenia in June 2023 but escaped custody just three days later.
???? A chat exchange between Nefedov and an associate named Chuck suggests Russian officials facilitated his extraction.
???? GG claimed he contacted high-ranking officials and was given access to a "green corridor" to flee.

Inside Black Basta’s Operations

The chat logs also reveal key details about Black Basta’s infrastructure and tactics:
Two suspected offices in Moscow where group members may operate.
Use of AI tools, including ChatGPT, to:

• Generate phishing emails
• Debug malware
• Rewrite ransomware scripts
• Collect victim data

The Fallout and What’s Next

The leaked messages have exposed Black Basta’s operational vulnerabilities, raising questions about potential government collusion. As investigations continue, cybersecurity experts are closely monitoring whether this data breach will lead to the group's downfall or a strategic regrouping.