Russia-linked Black Basta ransomware has extorted at least $100 million

Black Basta, which is believed to be a faction of the notorious Russian Conti ransomware gang, has raked in at least $107 million in Bitcoin ransom payments since its inception in early 2022, joint research by Elliptic and Corvus Insurance has revealed.

Capita, a technology outsourcer with billions of dollars in UK government contracts, ABB, an industrial automation company, and Dish Networks, an American television provider, are two high-profile victims among 329 identified intrusions by Black Basta. Neither company has publicly disclosed whether they paid a ransom.

Researchers tracked the movements of funds using the crypto investigations tool Elliptic Investigator. They uncovered some unique patterns in the group’s activity by timing peaks of ransom payments with the timing of attacks.

“Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million,” the report reads.

Those figures are a lower estimate, as there may be other ransom payments that researchers were unable to identify, especially the latest. Despite the relative transparency of blockchains, ransomware groups do not rely on a single wallet to receive payments, and victims rarely share details about where they transferred the ransom to.

Ransom groups also use complex money laundering techniques to cover their tracks on the blockchain and conceal illicit sources of profits.

Elliptic researchers demonstrated an overlap between the funds of Black Basta and Conti. Therefore, some payments may relate to now-defunct Conti ransomware attacks.

“Based on the number of known victims listed on Black Basta’s leak site through Q3 of 2023, our data indicates that at least 35% of known Black Basta victims paid a ransom. This is consistent with reports that 41% of all ransomware victims paid a ransom in 2022,” the researchers explained.

Black Basta Victims
Image by Elliptic.

As earlier reported by Cybernews, Cyberint researchers have linked an emerging group to Conti, a prolific ransomware gang associated with Russia, with a victim toll close to 1000.

Elliptic demonstrated that much of Black Basta’s laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange. The same exchange was often used by Conti.

“Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator. This further strengthens the theory that Black Basta is an offshoot or rebrand of Conti,” Elliptic writes.

Also, Black Basta commonly used the Qakbot malware, which infected victims’ computers through email phishing attacks and helped to deploy ransomware. On the blockchain, approximately 10% of Black Basta’s ransom amount was forwarded to Qakbot wallets, researchers showed.

“The Black Basta operator appears to take an average of 14% of ransom payments. This is a typical split seen in ransomware-as-a-service operations,” the report reads.

The US government sanctioned Garantex in April 2022. The multinational law enforcement operation disrupted Qakbot in August 2023, partially explaining the recent reduction in Black Basta attacks.

Black Basta has targeted businesses in a wide variety of sectors, including construction (10% of victims), law practices (4%), and real estate (3%), mostly in the US, a trait that also resembled Conti.