Black Basta’s Ransom Haul Tops $100M In Less Than 2 Years

The Black Basta ransomware gang has raked in more than $100 million from victims of its double-extortion attacks since its emergence early last year, according to researchers.

The haul – which included grabbing $9 million from one victim and more than $1 million each from at least 17 others – puts the Russian-linked gang in the top echelon of ransomware operators.

In a Nov. 29 joint research post, blockchain analytics firm Elliptic and cyber insurance company Corvus said Black Basta had attacked at least 329 organizations, receiving payments of at least $107 million from more than 90 victims. The figures positioned the gang as the fourth-most active strain of ransomware by number of victims in the 2022-2023 period, the researchers said.

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” they added.

To put the group’s earnings in perspective: a June advisory from the Cybersecurity and Infrastructure Security Agency (CISA) said “prolific” rival gang LockBit took in $91 million from U.S. victims between early 2020 and mid-2023.  

Black Basta’s victims this year have included Swiss technology giant ABB, British outsourcing company Capita, and Dish Network.

The gang is widely believed to be an offshoot of another prolific ransomware operator, the Conti Group, which disbanded last year. It uses double-extortion tactics, exfiltrating sensitive data from victims before encrypting their networks and threatening to publish the stolen information if a ransom isn’t paid.

Black Basta ransomware was commonly deployed using Qakbot malware. Qakbot’s botnet was taken down by authorities in August and, according to the Elliptic and Corvus report, this may explain why there has been a marked reduction in Black Basta attacks during the second half of the year.

Elliptic researchers said links between Black Basta and Qakbot were evident on the Bitcoin blockchain, with portions of ransoms paid to Black Basta being sent to Qakbot wallets.

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers said.

“Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”

Through the firm’s investigations tool, Elliptic Investigator, the researchers said they were able to shed light on how Black Basta ransom payments were being laundered. They discovered the gang had sent millions of dollars in funds to Garantex, a Russian cryptocurrency exchange that was sanctioned by the U.S. government in April 2022 for its role in laundering the proceeds of darknet marketplaces and ransomware gangs, including Conti.

According to the Elliptic and Corvus report, based on the number of known victims listed on Black Basta’s leak site during the third quarter of 2023, at least 35% of the gang’s victims paid a ransom. This was roughly consistent with industry estimates in 2022 of the overall percentage of organizations that paid up following an attack.