THE Black Basta ransomware gang has collected more than $100 million from victims of its double extortion attacks since it emerged early last year, according to researchers.
That haul — which included recovering $9 million from one victim and more than $1 million each from at least 17 others — puts the Russia-linked gang at the forefront of ransomware operators.
In a November 29 common research station, blockchain analytics firm Elliptic and cyber insurance firm Corvus said Black Basta attacked at least 329 organizations, receiving payments of at least $107 million from more than 90 victims. These figures position the gang as the fourth most active ransomware strain in terms of number of victims during the period 2022-2023, according to the researchers.
“It should be noted that these figures are a lower bound – it is likely that there are other ransom payments made to Black Basta that our analysis has not yet identified – particularly in relation to recent victims “, they added.
To put the group’s results into perspective: a June Notice of the Cybersecurity and Infrastructure Security Agency (CISA), said the “prolific” rival LockBit gang collected $91 million from U.S. victims between early 2020 and mid-2023.
Among the victims of Black Basta this year are Swiss technology giant ABBBritish outsourcing company CapitaAnd Dish network.
The gang is widely seen as an offshoot of another prolific ransomware operator, the Conti group, which disbanded last year. It uses double extortion tactics, exfiltrating sensitive data from victims before encrypting their networks and threatening to publish the stolen information if a ransom is not paid.
Black Basta ransomware was commonly deployed using Qakbot malware. The Qakbot botnet was dismantled by the authorities in August and, according to the Elliptic and Corvus report, this could explain why there was a marked reduction in Black Basta attacks during the second half of the year.
Elliptic researchers said the links between Black Basta and Qakbot were evident on the Bitcoin blockchain, with a portion of the ransoms paid to Black Basta being sent to Qakbot wallets.
“These transactions indicate that approximately 10% of the ransom amount was transferred to Qakbot, in cases where they were involved in gaining access to the victim,” the researchers said.
“Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to the Conti Group. In particular, we traced Bitcoins worth millions of dollars from wallets linked to Conti to those associated with the operator Black Basta.
Using the company’s investigative tool, Elliptic Investigator, researchers said they were able to shed light on how Black Basta’s ransom payments were laundered. They discovered that the gang had sent millions of dollars in funds to Garantex, a Russian cryptocurrency exchange. sanctioned by the US government in April 2022 for his role in laundering the proceeds of darknet markets and ransomware gangs, including Conti.
According to the Elliptic and Corvus report, based on the number of known victims listed on the Black Basta leak site during the third quarter of 2023, at least 35% of the gang’s victims paid a ransom. This figure roughly matched industry estimates in 2022 for the overall percentage of organizations that paid out following an attack.