{
	"id": "40e939d2-839c-4bb4-98e5-2fee19f489cd",
	"created_at": "2026-04-06T00:08:31.75058Z",
	"updated_at": "2026-04-10T03:21:49.341311Z",
	"deleted_at": null,
	"sha1_hash": "0cfda6c5bb896846b2d98a2d6f150b45afa7866a",
	"title": "Black Basta Leak Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1334546,
	"plain_text": "Black Basta Leak Analysis\r\nBy A-poc\r\nPublished: 2025-05-19 · Archived: 2026-04-05 22:06:15 UTC\r\n3 min read\r\nMar 4, 2025\r\nPress enter or click to view image in full size\r\nAnalysing the Matrix server chat log data dump from the notorious Black Basta ransomware.\r\nOn the 20th of February 2025, the Matrix server chat logs from the notorious ransomware group Black Basta were\r\nuploaded to MEGA. This caused a wave of activity from cyber security firms and individuals looking for needles\r\nin the 200k message haystack.\r\nThe leak provides a fascinating peek behind the curtain of a major ransomware operation and an opportunity to\r\nidentify data trends.\r\nWorking Hours\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 1 of 6\n\nFrom September 2023 until June 2024\r\n, the Black Basta chat server was most active each week from\r\napproximately 07:00 until 21:00.\r\nThe number of messages sent on Friday afternoons differed from those on other afternoons in the week, and\r\nweekends were much quieter.\r\nPress enter or click to view image in full size\r\nA heat map of message activity on the Black Basta matrix server\r\nRansom Negotiations\r\nDuring active ransomware negotiations (Volex, True and Ascension Health) Black Basta members\r\ncommunicated with each other using more expletives than usual.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 2 of 6\n\nGraph showing the number of expletives used throughout the year in relation to key negotiation\r\nevents\r\nand when these negotiations were taking place, specific user message volume patterns outline lead members.\r\nPress enter or click to view image in full size\r\nCharts showing the number of messages sent by Black Basta members during periods of negotiation\r\nSome members appeared to be involved in all negotiation discussions:\r\nGG\r\nlapa\r\nyy\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 3 of 6\n\nwhilst other members only appeared to be related to certain events:\r\nW (Volex)\r\nn3auxaxl (True)\r\nnickolas (Ascension Health)\r\nCommunication Changes\r\nThroughout the year, the collective emotions of the group would change depending on the situation they were in.\r\nPress enter or click to view image in full size\r\nGraph showing the number of phrases relating to emotions throughout the year in relation to key\r\nnegotiation events\r\nExcitement was typically expressed in and around major ransomware negotiations, sprinkled with small spikes of\r\nfrustration.\r\nGet A-poc’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOn average, the longest messages were sent early in the morning at 02:00 whilst the shortest messages were\r\ntypically sent in the evening 19:00.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 4 of 6\n\nChart showing the average message length over the average day\r\nRelationships\r\nThe number of times Black Basta members make reference to other group members gives an idea of the potential\r\nlinks within the group.\r\nPress enter or click to view image in full size\r\nGraph showing the number of times each Black Basta member mentioned each other\r\nThe high number of connections highlighted the amount of communication that took place within the group.\r\nConnections of note include:\r\nGG → lapa\r\nGG → W\r\nSS → cameron777\r\nW → SSD\r\nburito → n3auxaxl\r\nConclusion\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 5 of 6\n\nThe Black Basta leak lays bare a year of ransomware operations, revealing distinct patterns in activity,\r\ncommunication, and group dynamics.\r\nStructured working hours and heightened exchanges during negotiations paints a picture of an organized effort\r\nshaped by key contributors and shifting priorities.\r\nSource: https://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nhttps://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@a-poc/black-basta-leak-analysis-add723b179a5"
	],
	"report_names": [
		"black-basta-leak-analysis-add723b179a5"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cfda6c5bb896846b2d98a2d6f150b45afa7866a.pdf",
		"text": "https://archive.orkl.eu/0cfda6c5bb896846b2d98a2d6f150b45afa7866a.txt",
		"img": "https://archive.orkl.eu/0cfda6c5bb896846b2d98a2d6f150b45afa7866a.jpg"
	}
}