Connect with us

Hi, what are you looking for?



Black Basta Ransomware Group Received Over $100 Million From 90 Victims

The Black Basta ransomware group has infected over 300 victims and received more than $100 million in ransom payments.

Victim organizations have paid over $100 million in ransom demands to the Black Basta ransomware group since early 2022, a new report from blockchain analytics firm Elliptic reveals.

Active since at least April 2022 and responsible for more than 300 infections to date – becoming the fourth-most active ransomware by number of victims – Black Basta is believed to be linked to the notorious Conti ransomware group, which closed shop last year.

Black Basta had become a major threat within months of its emergence, partnering with other cybercrime gangs and employing double extortion tactics: in addition to encrypting files, the group has been stealing victims’ data and threatening to release it on the web unless a ransom was paid.

To date, the group has claimed responsibility for several high-profile intrusions, including at UK-based business process outsourcing and professional services company Capita, Swiss industrial giant ABB, French aerospace and security giant Thales, German car parts and defense company Rheinmetall, and Canadian meat giant Maple Leaf Foods.

By analyzing blockchain transactions, Elliptic has identified more evidence that Black Basta is related to Conti, in addition to previously observed similarities in victimology, behavior, and site looks.

Black Basta has been observed targeting organizations in various industries, with most of its victims being in the construction (10% of victims), law practices (4%) and real estate (3%) sectors. US-based businesses account for 61.9% of the group’s victims, followed by German firms, at 15.8%.

Elliptic believes that Black Basta has received more than $100 million in ransom payments, with roughly 35% of the group’s victims having paid a ransom.

“Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million,” Elliptic says.

Advertisement. Scroll to continue reading.

The company notes that some payments might not yet show up, particularly if related to recent victims, and that other payments might be related to Conti ransomware attacks, being difficult to distinguish due to overlaps in activity.

Some of the proceeds, Elliptic has discovered, were forwarded to the Qakbot malware operators, who have been providing access to victim networks.

“The Black Basta operator appears to take an average of 14% of ransom payments. This is a typical split seen in ransomware-as-a-service operations,” Elliptic says.

Related: Ransomware Attacks on Industrial Organizations Doubled in Past Year: Report

Related: Cyber Insights 2023 | Ransomware

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.