Victim organizations have paid over $100 million in ransom demands to the Black Basta ransomware group since early 2022, a new report from blockchain analytics firm Elliptic reveals.
Active since at least April 2022 and responsible for more than 300 infections to date – becoming the fourth-most active ransomware by number of victims – Black Basta is believed to be linked to the notorious Conti ransomware group, which closed shop last year.
Black Basta had become a major threat within months of its emergence, partnering with other cybercrime gangs and employing double extortion tactics: in addition to encrypting files, the group has been stealing victims’ data and threatening to release it on the web unless a ransom was paid.
To date, the group has claimed responsibility for several high-profile intrusions, including at UK-based business process outsourcing and professional services company Capita, Swiss industrial giant ABB, French aerospace and security giant Thales, German car parts and defense company Rheinmetall, and Canadian meat giant Maple Leaf Foods.
By analyzing blockchain transactions, Elliptic has identified more evidence that Black Basta is related to Conti, in addition to previously observed similarities in victimology, behavior, and site looks.
Black Basta has been observed targeting organizations in various industries, with most of its victims being in the construction (10% of victims), law practices (4%) and real estate (3%) sectors. US-based businesses account for 61.9% of the group’s victims, followed by German firms, at 15.8%.
Elliptic believes that Black Basta has received more than $100 million in ransom payments, with roughly 35% of the group’s victims having paid a ransom.
“Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million,” Elliptic says.
The company notes that some payments might not yet show up, particularly if related to recent victims, and that other payments might be related to Conti ransomware attacks, being difficult to distinguish due to overlaps in activity.
Some of the proceeds, Elliptic has discovered, were forwarded to the Qakbot malware operators, who have been providing access to victim networks.
“The Black Basta operator appears to take an average of 14% of ransom payments. This is a typical split seen in ransomware-as-a-service operations,” Elliptic says.
Related: Cyber Insights 2023 | Ransomware