Ransomware gang Black Basta has stolen more than $100m in the last two years, according to a new report. The Russian hacking group has successfully extorted more than 90 victims, according to research from cybersecurity vendor Elliptic and Corvus Insurance. Black Basta is believed to have infected a total of 329 organisations with its ransomware so far.
“Our analysis suggests that Black Basta has received at least $107m in ransom payments since early 2022,” said the report. “The largest received ransom payment was $9m, and at least 18 of the ransoms exceeded $1m. The average ransom payment was $1.2m.”
The group specialises in so-called “double-extortion” tactics, wherein sensitive data is exfiltrated from the victim and their systems locked by ransomware. Black Basta will then demand a ransom in exchange for the return of the data and the restitution of the systems to the company in question. Previous victims have included buildings supply specialists Knauf, defence manufacturer Rheinmetall, technology outsourcing firm Capita and industrial automation company ABB, though the report points out that the last two have not publicly disclosed whether or not they paid a ransom to Black Basta.
Black Basta’s Conti connection
Elliptic and Corvus Insurance’s report also sheds new light on Black Basta’s financial transactions on the blockchain. The group typically operates according to a “ransomware-as-a-service” model, wherein its ransomware is leased to other criminal groups in exchange for a cut of any payment made by the victim for the restitution of their data and systems. These payments would then be laundered through the Russian cryptocurrency exchange Garantex, claims the report.
Until August 2023, most of the group’s attacks were launched using Qakbot malware buried inside phishing emails. According to Elliptic and Corvus Insurance’s investigation, the organisation leasing Qakbot would typically receive a 10% cut of any ransom payment, compared to Black Basta’s 14%. The relationship with Qakbot appears to have when the botnet was broken up by law enforcement – an event that may explain “a marked reduction in Black Basta attacks in the second half of 2023”, says the report.
More evidence has also been obtained about Black Basta’s links to the Conti Group, another Russia-based cybercriminal organisation that is thought to have shut down in 2022. “[We] have traced bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator,” said the report, strengthening the theory held by many cybersecurity researchers that the latter is a successor organisation to the former.
Most law enforcement agencies strongly urge companies to refrain from paying ransoms for stolen data, though the reception among cybersecurity experts to proposals to outlaw such payments completely has proved mixed. There is growing international consensus on the feasibility of ending government payments to cybercriminals if public institutions are hacked. In October, for example, 40 countries signed on to the US-led International Counter Ransomware Initiative, which calls for a cessation of such payments and the creation of a “black list” of digital wallets commonly used to transfer ransomware payments.