Black Basta Ransomware Group Makes $100m Since 2022

Written by

A prolific Russian-speaking ransomware group has made over $100m from dozens of victims since April 2022, new analysis has revealed.

Corvus Insurance used the Elliptic Investigator blockchain forensics tool to lift the lid on the Black Basta group.

The tool helped it to uncover patterns in the group’s online activities which enabled it to trace a large number of Bitcoin ransoms with a high degree of certainty.

“Our analysis suggests that Black Basta has received at least $107m in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9m, and at least 18 of the ransoms exceeded $1m. The average ransom payment was $1.2m,” said Corvus Insurance.

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims.”

Read more on Black Basta: Black Basta Ransomware Attacks Linked to FIN7 Threat Actor

The analysis uncovered links between Black Basta and both the Conti ransomware group and the Quakbot malware.

It’s long been suspected that Black Basta is an offshoot of Conti, a prolific ransomware group which ceased operations at the time Black Basta began. The new analysis from Corvus highlighted significant crossover in targeted sectors – with both focusing their efforts on manufacturing, construction/engineering, wholesale/retail, financial services, and transportation and logistics firms.

It also traced several million dollars’ worth of Bitcoin from Conti-linked wallets to wallets associated with Black Basta.

Meanwhile, Quakbot, which infects victim machines through phishing emails, is often used to deploy Black Basta.

“This link between the groups is also visible on the blockchain, with portions of some victims’ ransoms sent to Qakbot wallets,” Corvus continued.

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim. Qakbot was disrupted in August 2023 by a multinational law enforcement operation – perhaps explaining a marked reduction in Black Basta attacks in the second half of 2023.”

What’s hot on Infosecurity Magazine?