John Hammond Analyzes Major Leak of Russian Ransomware Group Black Bosta's Internal Chat Logs

In a recent video, John Hammond explores a major leak of internal chat logs from the Russian ransomware group Black Bosta. This leak, made public on February 20, 2025, revealed internal communications covering the period from September 18, 2023, to September 28, 2024. Black Bosta, a ransomware-as-a-service (RaaS) group, targeted over 500 organizations worldwide, collecting more than $100 million in ransomware payments. However, since the beginning of the year, their dark web site has been offline, and no new victims have been reported. The leak revealed that Black Bosta operated as a structured and hierarchical organization, with physical offices and a clear chain of command. Team members had varied specializations, ranging from infrastructure management to victim negotiation. The chat logs show a clear distinction between internal employees and independent or affiliated operators. The group used Matrix servers for their communications, frequently changing servers for operational security (OPSEC) reasons. Analysis of the logs revealed that the group's leader, known as GG, is likely Oleg Nefedov, a 35-year-old Russian citizen. The group used legitimate service providers for their infrastructure but went through brokers and resellers to enhance their anonymity. They also used Cobalt Strike servers for their command and control (C2) operations. The video also explores Black Bosta's infrastructure, hosted in Germany but purchased through resellers accepting cryptocurrency payments. This method allowed the concealment of the end-users' real identities from legitimate service providers. The member responsible for this infrastructure, known as YY or Bio, managed the servers, admin panels, and leak blogs. John Hammond uses tools like Predictor Graph to visualize Black Bosta's organization, showing the different roles and responsibilities of members. He also explores the online identifiers of members, such as Jabber and XMPP IDs, to track their activities on various cybercrime forums. The video highlights the importance of monitoring cybercrime forums and illicit communication channels to anticipate and protect against threats. The revealed information can be used by cybersecurity professionals to better understand the tactics and procedures of cybercriminals and to strengthen defenses against ransomware attacks. In conclusion, this chat log leak provides a rare and valuable insight into the internal workings of a ransomware group, highlighting the complexity and sophistication of these criminal organizations. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=cH7BYWbtsfI