How leaked chats, law enforcement pressure and affiliate migration exposed the resilience of the ransomware ecosystem

Takeaways

• Black Basta’s collapse disrupted a name, not the underlying criminal capabilities, which quickly reappeared through affiliate migration and code reuse.
• Leaked operational data significantly strengthens investigations. Correlating chat logs with victim reports, blockchain data and intrusion timelines turned fragmented intelligence into actionable law‑enforcement evidence.
• Healthcare attacks accelerate scrutiny and consequences. Attacks on critical infrastructure change the risk calculus for both threat actors and defenders.

Black Basta (BlackBasta, Blackbasta, Basta, Vengeful Mantis) was a top-tier ransomware brand until its collapse in early 2025. The group collected at least $107 million in ransomware payments (based on blockchain tracing) from early operations in 2022 through late 2023. Black Basta was a global law enforcement priority for years prior to its disappearance, and investigators have continued to search for clues and evidence to bring group members to justice. Recent headlines reveal this work is getting results.

The group is widely regarded as a rebrand or offshoot of the Conti ransomware group that went dark in May 2022. Analysts saw strong overlaps in the tools and operations of the two groups, and blockchain tracing later showed several million dollars flowing from Conti‑linked wallets into wallets controlled by Black Basta. Researchers discovered a Russian national known by aliases like “GG,” “Tramp,” “Trump,” and “AA” was a key member of Conti and likely to be the founder of Black Basta.

Black Basta was a closed, high‑end ransomware-as-a-service (RaaS) cluster. A cluster is a network of specialists and partners coordinated around a brand, rather than a self-contained RaaS operation. This distinction matters because a cluster can ‘collapse’ as a brand with minimal disruption to the threats posed by its members. The underlying capabilities of a cluster are portable, and the same tooling and tactics can quickly reappear under new brands.

Public reporting places Black Basta’s debut in April 2022, shortly before Conti ceased operations. The group had roughly 100 victims in its first seven months and more than 500 victims worldwide by the time it attacked Ascension in May 2024.

Black Basta was known for attacking major enterprises and critical infrastructure, but Ascension was a watershed event for the group because it quickly increased the risk environment for the group. The attack disrupted operations at around 140 hospitals across 19 U.S. states and Washington, D.C., forcing a rapid return to paper workflows and ambulance diversions while staff struggled to get basic orders approved.

Black Basta posted its last victim on its leak site in January 2025. In February, an unknown actor going by the name “ExploitWhispers” leaked a huge cache of internal chat logs covering late 2023–2024. By March 2025 Black Basta was considered inactive, though its tactics and tools were seen in use by other brands.