Black Basta chat log leaks show structure and discipline, claims research

Social engineering was a speciality of the highly successful ransomware group

Analysis of the Black Basta ransomware group leaks finds a highly structured organisation with specialisms in exploit development and social engineering.

Further analysis of the 190,000 chat messages exchanged by members of the Black Basta ransomware group which were leaked earlier this year, has revealed a structured organisation with expertise in several specialities including social engineering.

The messages, which were sent from September 2023 to September 2024, were later posted to Telegram in February 2025 by a persona known only as ‘ExploitWhispers’. The leak coincided with an outage of the Black Basta site on the dark web, which has remained down ever since.

Researchers from Trustwave’s SpiderLabs have analysed the messages, published a ‘deep dive’ into the chat logs. The report says the leak, “provides a unique look into one of the most financially successful ransomware organizations in recent years. The dataset sheds light on Black Basta’s internal workflows, decision-making processes, and team dynamics...”

The analysis provides a grimly fascinating look into the workings of what was a highly successful ransomware group.

The group operated with a division of labour that rivalled legitimate enterprise. Members were assigned roles aligning with their specialities to maxmise efficiency. Credential management, negotiations, infrastructure and malware development were all covered. Researchers even found a work schedule resembling a traditional nine-to-five office day.

Social engineering was a speciality, with members taking on a personas of IT administrators to target employees working for prospective victims to troubleshoot fake breaches. Microsoft Teams was often the vector of choice for this activity.

“The girl should be calling men,” one more senior Black Basta member instructed in a chat message. “The guy should be calling women.”

The manager went on to say employees had screened 500 prospective callers for the task. “In the end only 2-3 were competent, and we have a few others as backup. One girl is really good at calling, every fifth call converts into remote access :).”

The social-engineering operations were carefully coordinated, with members sharing updates in real-time in chat messages and fine-tuning scripts and lures in real time.

The chat logs also reveal the discussion of more than 60 unique CVEs, many of them vulnerabilities in Microsoft Exchange, with discussions ranging from the speculative to those talking full exploit acquisition

For full details of the report go to Trustwave SpiderLabs.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.