Inside Ransomware: Facts and Findings from the Blackbasta and Lockbit Leaks

When an anonymous actor calling themselves “ExploitWhispers” posted nearly a year’s worth of BlackBasta’s internal Matrix chats in February 2025, the industry received an unfiltered window into the criminal enterprise behind dozens of high-profile intrusions.

Twelve weeks later, a separate breach dumped the entire MySQL backend of LockBit’s affiliate panel. 20 tables covering build pipelines, negotiation transcripts, and cryptocurrency payout data were released onto public code-sharing sites with a Tor-site defacement confirming the compromise. Together these disclosures offer something incident responders rarely get: the attackers own words, workflows, and source artifacts.

In this talk we will take a deep dive into those data sets—walking through the process of parsing thousands of lines of attacker conversations, configuration files, and build logs to surface the tactics, techniques, and procedures (TTPs) that drive day-to-day ransomware operations.

This talk will focus on the approach for processing these large data sets, how affiliate recruitment, initial access, payload testing, negotiation, and cash-out weave together into a repeatable playbook, and the CI/CD build pipelines which allow for rapid development and deployment of malicious payloads.

Attendees will leave with a comprehensive understanding of how ransomware crews operate, insights into their financial gains, and the underlying motivations that drive their activities.

‍