BlackBasta Ransomware Ties to Russian Authorities Uncovered

A newly leaked trove of internal chat logs has exposed potential connections between the BlackBasta ransomware gang and Russian authorities.

The leaks, consisting of over 200,000 messages spanning a year, were shared by a Telegram user known as @ExploitWhispers on February 11 2025. The user claimed to have leaked the chats in response to BlackBasta allegedly attacking Russian banks, though no evidence supporting this claim has been found.

Cybersecurity firm Trellix obtained and analyzed the chat logs in a new advisory published today, uncovering conversations that suggest BlackBasta’s leader, identified as Oleg Nefedov (alias GG or Tramp), may have received assistance from Russian officials.

According to the logs, Nefedov was detained in Armenia in June 2024 but escaped custody three days later. A chat exchange between GG and an associate named Chuck revealed that Russian authorities allegedly facilitated his extraction, with GG claiming he contacted high-ranking officials to secure a “green corridor.” Chuck speculated that “number 1” referenced in the chat could be Russian President Vladimir Putin, though GG neither confirmed nor denied the claim.

Further discussion in the leaked chats indicated that Russian law enforcement may have the power to suppress Interpol requests in some instances. GG and Chuck also referenced continuing their illicit activities “as long as grandpa lives,” – possibly hinting at protection from an influential figure.

Additionally, one chat linked a member of the Trickbot group to Russia’s Federal Security Service (FSB), reinforcing suspicions of government connections.

Moscow Operations and AI Use

The leaked messages suggest that BlackBasta operates two physical offices in Moscow, with detailed discussions about office logistics, security measures and staff coordination. The group also regularly hosts gatherings at high-end restaurants and Russian saunas, further indicating a structured, business-like operation.

Additionally, the logs show BlackBasta’s extensive use of AI tools like ChatGPT. Gang members utilized AI to generate phishing emails, debug malware code and rewrite ransomware scripts to evade detection. They also leveraged AI for gathering victim data, with one member automating contact collection through GPT API services.

Read more on ransomware gangs exploiting artificial intelligence: 2025 to be a Year of Reckoning for AI in Cybersecurity

Affiliate Collaboration

The leaks provide insight into BlackBasta’s connections with other cybercriminal groups. The group collaborated with multiple ransomware-as-a-service (RaaS) affiliates, including Rhysida and Cactus, and used malware loaders such as Qakbot, Pikabot, DarkGate and IcedID. Discussions also revealed the group’s rental agreements with other cybercriminals, including a deal to pay $1m for exclusive access to DarkGate malware.

Following an unsuccessful attack on Ascension Health, BlackBasta leaders reportedly debated rebranding. Chat logs indicate Nefedov instructed a key developer to create a new ransomware variant based on Conti source code, while ensuring it remained untraceable to BlackBasta. Plans included using secure infrastructure in Abkhazia, a location with historical ties to Russian cybercrime.

Trellix’s analysis of the BlackBasta leaks reveals a deeply entrenched cybercriminal organization with high-level ties in Russia. 

Despite the group’s plans to rebrand, the exposure of their internal operations may complicate efforts to operate under a new identity.

BlackBasta’s decreasing activity in 2025 could be linked to Nefedov’s arrest and the fallout from the Ascension Health attack. Still, history suggests that ransomware groups often resurface under different names, learning from past mistakes while continuing to exploit new vulnerabilities.