Analysis of Leaked Black Basta Chat Logs

This technical report presents an analysis of the leaked internal chat logs of the Black Basta ransomware group, which surfaced in February 2025. The logs reveal insights into the group's operations, including their infrastructure, tools, and decision-making processes. The document outlines the group's agile and compartmentalized structure, highlighting the use of social engineering tactics and XLL-based payloads for bypassing security measures. It details the group's reliance on Cobalt Strike and their development of a custom proxy infrastructure named 'Coba PROXY.' The report also discusses the aggressive negotiation tactics employed during ransom discussions and the broader targeting of previously off-limits banks in the CIS region. Additionally, the analysis emphasizes the internal dynamics and workflows within Black Basta, showcasing how members manage tasks related to malware development, infrastructure maintenance, and victim profiling. The dataset provides a unique perspective on the operational mindset and challenges faced by this ransomware organization.