More than $100 million in ransom paid to the Black Basta gang over nearly 2 years


The Black Basta cybercrime gang has reaped at least $107 million in ransoms since the start of 2022, according to a study by blockchain security firm Elliptic and Corvus Insurance.

The group has infected more than 329 organizations with ransomware throughout its operation, and business analysis blockchain transactions show links between Black Basta and the Conti ransomware gang – which stop its operations last year following attacks against the government of Costa Rica.

Basta blackaccording to Elliptic and Corvus Insurance, appeared around at the same time Conti stopped operating and a large portion of the laundered ransom payments can be traced to Garantex, a Russian cryptocurrency exchange sanctioned. Like Conti, Black Basta focuses particularly on organizations in the construction, legal and real estate sectors.

“Our analysis suggests that Black Basta has received at least $107 million in ransoms since the start of 2022, for more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million,” the researchers said. The average ransom payment was $1.2 million.

“It should be noted that these figures are a lower bound – it is likely that other ransom payments are being made to Black Basta that our analysis has not yet identified – particularly in relation to recent victims. Due to the overlap between the groups, some of these payments may also be linked to the Conti ransomware attacks,” the researchers said.

Image: Elliptical

Black Basta is one of the most high-profile ransomware groups currently operating, taking credit for brazen attacks against Dish networkTHE American Dental AssociationBritish outsourcing company CapitaSwiss technology giant ABB and German arms company Rheinmetall.

Since its emergence, it has become the fourth most active ransomware strain based on the number of victims tracked over the last year, the report said.

The gang recently leaked information from organizations such as the Raleigh Housing Authority in North Carolina; a television advertising sales and technology company jointly owned by the three largest US cable operators; And The government of Chile.

Black Basta ransomware attacks and ransoms since early 2022
Image: Elliptical

Data shows that approximately 35% of all Black Basta victims paid a ransom.

Researchers noted that the figures presented in the report likely represent only a fraction of the group’s actual revenue, as most gangs use a variety of cryptocurrency wallets to receive payments and victims generally do not share the details of the wallet they used to pay the ransoms.

Qakbot Connections

In addition to the links between Conti and Black Basta, researchers found links between ransomware and Qakbot malware – what was disrupted by the FBI and international law enforcement in August.

Qakbot, also known as Qbot and Pinkslipbot, had become the initial access method of choice for several high-profile ransomware gangs, including REvil, Black Basta, Conti, Egregor, and MegaCortex.

After infecting victims’ computers with Qakbot malware via malicious attachments In junk mail, gangs could deploy their own ransomware and extort their victims. Cybersecurity experts have already noted that the Black Basta ransomware gang Used Qakbot during his attack on Capita.

Elliptic said Qakbot malware was typically used to deploy Black Basta ransomware and that there were clear links between the two operations visible on the blockchain.

A portion of the ransoms received by Black Basta went into wallets associated with Qakbot, they found.

“These transactions indicate that approximately 10% of the ransom amount was transferred to Qakbot, in cases where they were involved in providing access to the victim,” they said.

Cybersecurity researchers at SentinelOne have already linked the long-running cybercrime cartel known as FIN7 to Black Basta in a report released late last year.

Elliptic noted that leaked Conti online chats suggested the company had ties to the Russian government and provided support for the invasion of Ukraine.

The US State Department announced last August that it would offer a $10 million reward for “information leading to the identification or location” of hackers linked to Operation Conti, with several experts expressing concerns as for the group splitting into gangs like Black Basta.

The Ministry’s Awards for Justice program shared a picture from a man who he says is linked to the group called “Target”, and said he was looking for other members who use the aliases “Reshaev”, “Professor”, “Tramp” and “Dandis “.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment