View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 30, 2023

Ransomware gang Black Basta has made more than $100m in two years

An investigation by Corvus Insurance and Elliptic finds that the ransomware gang has extorted more than 90 victims since it began operating last year.

By Greg Noone

Ransomware gang Black Basta has stolen more than $100m in the last two years, according to a new report. The Russian hacking group has successfully extorted more than 90 victims, according to research from cybersecurity vendor Elliptic and Corvus Insurance. Black Basta is believed to have infected a total of 329 organisations with its ransomware so far. 

“Our analysis suggests that Black Basta has received at least $107m in ransom payments since early 2022,” said the report. “The largest received ransom payment was $9m, and at least 18 of the ransoms exceeded $1m. The average ransom payment was $1.2m.”

A rendering showing a bright red warning sign, used to illustrate an article about the ransomware group Black Basta.
Ransomware gang Black Basta has made over $100m since beginning operations in 2022, according to a new report. (Photo by JLStock/Shutterstock)

The group specialises in so-called “double-extortion” tactics, wherein sensitive data is exfiltrated from the victim and their systems locked by ransomware. Black Basta will then demand a ransom in exchange for the return of the data and the restitution of the systems to the company in question. Previous victims have included buildings supply specialists Knauf, defence manufacturer Rheinmetall, technology outsourcing firm Capita and industrial automation company ABB, though the report points out that the last two have not publicly disclosed whether or not they paid a ransom to Black Basta.

Black Basta’s Conti connection

Elliptic and Corvus Insurance’s report also sheds new light on Black Basta’s financial transactions on the blockchain. The group typically operates according to a “ransomware-as-a-service” model, wherein its ransomware is leased to other criminal groups in exchange for a cut of any payment made by the victim for the restitution of their data and systems. These payments would then be laundered through the Russian cryptocurrency exchange Garantex, claims the report. 

Until August 2023, most of the group’s attacks were launched using Qakbot malware buried inside phishing emails. According to Elliptic and Corvus Insurance’s investigation, the organisation leasing Qakbot would typically receive a 10% cut of any ransom payment, compared to Black Basta’s 14%. The relationship with Qakbot appears to have when the botnet was broken up by law enforcement – an event that may explain “a marked reduction in Black Basta attacks in the second half of 2023”, says the report.

More evidence has also been obtained about Black Basta’s links to the Conti Group, another Russia-based cybercriminal organisation that is thought to have shut down in 2022. “[We] have traced bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator,” said the report, strengthening the theory held by many cybersecurity researchers that the latter is a successor organisation to the former. 

Most law enforcement agencies strongly urge companies to refrain from paying ransoms for stolen data, though the reception among cybersecurity experts to proposals to outlaw such payments completely has proved mixed. There is growing international consensus on the feasibility of ending government payments to cybercriminals if public institutions are hacked. In October, for example, 40 countries signed on to the US-led International Counter Ransomware Initiative, which calls for a cessation of such payments and the creation of a “black list” of digital wallets commonly used to transfer ransomware payments. 

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Read more: Why the public sector still loves Capita (even though it got hacked)

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.