Home Security News Black Basta: Exploring the Activities, Earnings, and Connections of a Notorious Ransomware Group

Black Basta: Exploring the Activities, Earnings, and Connections of a Notorious Ransomware Group

Posted: December 6, 2023

MacBook Pro turned-on

Black Basta Ransomware Group Activities

The Black Basta ransomware group, a notorious cybercriminal entity, has reportedly generated an estimated sum exceeding $100 million since its operations in April 2022. Jointly researched by Corvus Insurance and blockchain analysis firm Elliptic indicates that this hefty sum results from criminal activities directed towards multiple victims, tallying over 300 to date.

Ransomware Group has Infected Over 300 Victims

The in-depth analysis of payments made to the known cryptocurrency wallet addresses of Black Basta reveals that at least 90 of the group's victims have paid the demanded ransom. These payments range vastly in their sums, with the largest standing at an astonishing $9 million. Interestingly, at least 18 of these payments have exceeded the $1 million mark, establishing an average of $1.2 million across all. However, the researchers caution that these figures merely represent a lower bound and not the absolute total, as there could potentially be other undisclosed payments made to the group.

Believed to be Linked to The Notorious Conti Ransomware Group

The Black Basta group is speculated to be an offshoot of the infamous Conti ransomware group that disbanded in May 2022. The two groups share not only members and the suspected overlap of ransom payments, indicating a collaborative history of cyber-attacks. The first visible traces of Black Basta emerged in April 2022, believed to comprise, in part or fully, former members of the Conti group.

The Group has Claimed Responsibility for Several High-Profile Intrusions

Notably, the Black Basta group has been responsible for massive disruptions, implementing high-profile intrusions that have resulted in substantial financial burdens for their victims. The research unveiled that the group's activities were traced as far back as February 2022, potentially aligning with the infamous "Conti leaks" saga that began on February 27 and eventually led to the disbandment of the Conti group.

Targets Organizations in Various Industries

The ransomware operations of the Black Basta group are not confined to any specific sector or industry. Their extortive activities have encompassed a wide range of organizations, exploiting security vulnerabilities and causing enormous damage in their wake. Due to this extensive victim base, the group's revenue grows, reflecting the urgent need for advanced cybersecurity measures across all industries.

Amount from Ransom

According to Elliptic and Corvus Insurance research, the Russia-based Black Basta ransomware group has reportedly accumulated over $100 million from ransom payments since its formation in early 2022. This infamous group, suspected to be an offshoot of the infamous Conti ransomware gang, has targeted numerous victims globally, exploiting their cybersecurity vulnerabilities for substantial financial gain.

Earned Over $100 Million in Ransom Payments

As mentioned, the research indicates that Black Basta has received at least $107 million in Bitcoin ransom payments, hence contributing significantly to its ill-gotten financial highway. This sum comes from over 90 established victims, each facing the dilemma of paying up to regain control of their compromised systems. However, due to the sophisticated money laundering techniques used by ransomware groups to conceal illicit profit sources and cover their tracks on the blockchain, these figures are likely a lower estimate of the group's total revenue.

Roughly 35% of the Group's Victims Have Paid a Ransom

Upon analyzing the data sourced from Black Basta's leak site up until the third quarter of 2023, the researchers concluded that approximately 35% of known Black Basta victims have succumbed to their ransom demands. This statistic aligns with the reported data that 41% of all ransomware victims paid a ransom in 2022, further revealing the growing concern about this escalating cyber threat.

The Largest Received Ransom Payment Was $9 Million

In the diverse ransom payments received by Black Basta, the largest single payment stands out at a whopping $9 million. This alarming figure enhances the scale of the financial pressure placed upon the victims by this ruthless ransomware group.

The Average Ransom Payment Was $1.2 Million

Despite the variance in the ransom payments, the report indicates that the average payment made to Black Basta weighs in at approximately $1.2 million. Furthermore, an attention-grabbing revelation is that at least 18 of these payments have crossed the $1 million mark. As such, this relentless group continues to extort considerable sums by capitalizing on the vulnerability of its victims, thus posing a grave challenge to global cybersecurity.

Connection to Other Cybercrime Activities

The activities of the Black Basta ransomware group bear striking similarities and apparent connections with other noteworthy players in the realm of cybercrime. Drawing together the threads from blockchain transactions and victim ransom payments, an intricate picture of links to other threat actors such as Conti and Qakbot malware emerges.

Some Payments are Found to be Related to Conti Ransomware Attacks

The correlation between Black Basta and the reputed Conti ransomware group is purported and certainly supported by blockchain evidence. Many ransom payments made to Black Basta display an undercurrent of connections to wallets linked with the Conti group. Furthermore, Bitcoin worth several million dollars has been traced from Conti-linked wallets to those associated with the operators of Black Basta. The findings of this study hence solidify the hypothesis that Black Basta did not originate in isolation but traces its lineage to the instincts and objectives of the Conti group.

The Group Splits the Proceeds With Qakbot Malware Operators

Another interesting facet of the Black Basta operations involves collaborating with Qakbot malware, which notoriously infects victims' computers through email phishing attacks. The Qakbot malware has been identified as a common tool for deploying the Black Basta ransomware. Observable on the blockchain are transactions where about 10% of the victim's ransom was forwarded to Qakbot wallets. This kind of arrangement is typical in cases where Qakbot provides access to the victim. Furthermore, it has been observed that the Black Basta operator usually takes an average of 14% of ransom payments, reflecting the standard split seen in ransomware-as-a-service operations.

The disruption of the Qakbot malware by a multinational law enforcement operation in August 2023 seemingly corresponds with a noticeable reduction in Black Basta attacks in the second half of 2023. Further exploration by the Elliptic Investigator provides insights into the group's money laundering process. It has been noticed that millions of dollars worth of the group's proceeds have found their way to Garantex, a Russian cryptocurrency exchange known for its role in laundering the proceeds of darknet marketplaces and ransomware gangs like Conti.

Blockchain Analytics Firm Elliptic Identified Links Between Black Basta and Conti

The crucial links between Black Basta and the notorious Conti group were discovered using Elliptic's comprehensive blockchain analysis. Elliptic's research has played a vital role in revealing the connection, demonstrating that bitcoin worth several million dollars passed from Conti-linked wallets to those associated with Black Basta. Further reinforcing the theory that Black Basta is an offshoot or successor of Conti, this finding has provided invaluable insights into the underlying relationships between different ransomware gangs.

Evidence Found by Analyzing Blockchain Transactions

Through its nuanced understanding of blockchain transactions, Elliptic discovered further proof of Black Basta's "ransomware-as-a-service" operations. With this model, Black Basta leases its ransomware to other criminal groups and takes cuts from payments made by victims. The investigation also found that the ransom payments were typically laundered through the Russian cryptocurrency exchange, Garantex. Elliptic's investigation confirms the partnership between Black Basta and Qakbot, a malware provider who received roughly a 10% cut of any ransom payment.

Elliptic Suggests More Payments Might Not Yet Show Up, Particularly if Related to Recent Victims

The diligent blockchain analysis by Elliptic suggests that more ransom payments for Black Basta may yet emerge. The complex and clandestine nature of ransomware payments, coupled with victims' reluctance to disclose them, makes tracking these transactions challenging. Yet, Elliptic continues to monitor blockchain transactions vigilantly, hopeful that more payments, particularly those associated with recent victims, will eventually appear.