After almost three years near the top of the ransomware food chain, the notorious Black Basta group is offline.

The cause appears to be infighting among the executives at the ransomware-as-a-service (RaaS) group, which culminated in one of its leading members leaking the group’s internal chat logs last week.

As we pointed out in our recent 2025 State of Malware report, the ransomware landscape has fractured significantly in the last few years. The influence of large ransomware groups like LockBit, ALPHV and Black Basta has waned as a multitude of little known “dark horse” gangs has emerged.

Until recently, Black Basta was an exception to that trend and was a regular in the top 10 most active ransomware groups in our monthly ransomware reports.

But this year, the decline started and one of the last giants seem to have suffered a number of problems:

• Victims reported never receiving a working decryption key.
• Key members left the group to join others.
• Internal fighting over which targets were off limits.

Reportedly, the last fallout occurred after an affiliate launched a brute-force attack against a Russian bank. Ransomware groups typically avoid attacking targets inside Russia and the Commonwealth of Independent States, where they enjoy safe haven.

Attacking Russian banks could invoke the wrath of the Russian authorities, which were otherwise turning a blind eye.

An individual posting under the handle ExploitWhispers wrote:

[translation]A place to discuss the main news about Black Basta, one of the biggest ransomware groups in Russia, which recently hacked domestic banks. With such deeds we can say that they crossed the line, that’s why we are dedicated to uncovering the truth and to investigate Black Basta’s next steps. Here you can find information you can trust and read all in one channel.

Our exclusive access provides thorough, objective and trustworthy information available by following this link.

The chat logs include almost 200,000 messages from September 2023 to September 2024. From the chat logs, researchers have learned a lot about some of the organizations’ key players, their internal power struggles, and their financial scams.

The logs also confirm one thing we already suspected: That many of the key players in Black Basta were previously active in the Conti group. Ironically enough, Conti also imploded after its chat logs were leaked online.

Since the affiliates working with Black Basta will undoubtedly find another RaaS group to work with, the tactics, techniques, and procedures we previously wrote about are still valid. Some of Black Basta’s key players have reportedly moved to the Cactus group, so that might also be a logical next home for the affiliates.