Black Basta Received Over $100 Million From Extortion Tactics

According to an insurance company and a blockchain analysis provider company, the Russia-linked ransomware group, Black Basta, has collected over $100 million in ransom payments from over 90 victims since its initial appearance in April 2022. The cybercrime operation targeted over 329 global victims in double extortion attacks. Group affiliates stole sensitive data from compromised systems before delivering ransomware payloads across the targets’ networks to encrypt breached systems. The stolen data is used to pressure victims into paying ransom by threatening to publish it on Black Basta’s web leak site. The analysis indicates that Black Basta received at least $107 million in ransom payments from over 90 victims since early 2022. The highest ransom payment received was $9 million, while at least 18 of the ransom topped $1 million. $1.2 million was the average ransom payment.

Even though the notion of blockchain is transparent, ransomware groups are proficient at obscuring their tracks, according to the vendors. The insurance company and a blockchain analysis provider company explained that ransomware groups rarely utilize a single cryptocurrency wallet to receive payments, and their operators’ laundering methods are complex. To make it more difficult for law enforcement to track unlawful funds, the ransomware groups may divert the funds through numerous wallets. According to companies, victims’ lack of transparency makes gathering wallet details difficult. While it was challenging, the vendors tracked the illegal activities to provide more information on the fourth most active ransomware strain based on number of victims in 2022 – 2023.

The data indicates that 35% of known Black Basta victims paid a ransom which is based on the number of known victims listed on Black Basta’s leak site through Q3 of 2023. Despite record-low ransomware payments in 2022, 41% of all ransomware victims have paid a ransom, which is consistent with one ransomware negotiation company’s findings. In April 2022, Black Basta emerged as a Ransomware-as-a-Service (RaaS) organization, targeting global corporate companies in double extortion attacks. Following the shutdown of the notorious Conti ransomware group in June 2023 due to embarrassing data breaches, the cybercrime group was divided into numerous groups, with one group believed to be Black Basta. According to a report from the Department of Health and Human Services security team, the threat group targeting 20 victims in its first two weeks of operation indicates that it’s experienced and has a source of initial access.

The sophistication level of the ransomware operators and refusal to recruit or advertise on Dark Web forums indicates why many believe that Black Basta could be a rebrand of the Russian-speaking RaaS threat group Conti or connected to other Russian-speaking cyber threat groups. Additionally, Black Basta has been connected to a well-known financially motivated cybercrime group, the Russian-speaking FIN7 breaching group Carbanak, which has been active since 2015. The ransomware group has infiltrated and extorted numerous high-profile victims since its appearance, including the American Dental Association, Sobeys, Knauf, Yellow Pages Canada, Toronto Public Library, and Rheinmetall, the German defense company. Other Black Basta’s victims include a U.K. technology outsourcing company, Capita, that earns billions of dollars from U.K. government contracts, and an industrial automation company and contractor for the United States government, ABB, with revenues exceeding $29 billion. Neither has officially stated whether they paid Black Basta ransoms.

Black Basta Connection to Conti

Conti used to carry out very disruptive attacks, including against the Irish healthcare system and the Costa Rican government agencies in 2022. In 2021, Exagrid Systems, Inc. was the victim of a Conti attack which resulted in a $2.6 million ransom payment. Conti, on the other hand, appears to have begun dismantling its operations after leaked source code in March 2022 revealed the ransomware group had received over $2 billion in cryptocurrencies since 2017. Vendors’ researchers stated that the Conti websites were no longer operational by May. Several vendors, however, revealed evidence that Conti operators had rebranded as other groups, including Black Basta. The targeted victims and the cryptocurrency exchange both groups used to conceal criminal payments were further evidence that connected Russian-affiliated Black Basta to Conti. The two vendors discovered overlaps in the targeted sectors, including construction, law practices, and real estate.

A blockchain analysis connected millions of laundered ransom payments to a Russian cryptocurrency exchange, Garantex, that the United States government sanctioned in 2022. According to the Treasury Department’s Office of Foreign Assets Control, the virtual currency exchange laundered over $100 million in illegal funds, including ransom payments from groups like Conti. While investigating payment traces, the vendors discovered that portions of some victims’ ransoms were transmitted to the wallets of Qakbot operations, a malware distributed by phishing emails that was often used to distribute Black Basta ransomware and others, including Conti. The transactions show that in cases where Qakbot was involved in providing access to the victim, approximately 10% of the ransom amount was forwarded to them. An international law enforcement operation halted Qakbot in August 2023, possibly explaining a significant decline in Black Basta attacks in the second half of 2023.

SpearTip advises companies to prioritize email security and endpoint detection and response products. The recommendations are critical since Black Basta relies on info stealers and Trojans like Qakbot to get initial access to victims’ companies. Additionally, SpearTip recommends utilizing multifactor authentication, particularly for remote access and administrator accounts, and prioritizing patch management to mitigate vulnerabilities used by threat operators. At SpearTip, our certified engineers work continuously monitoring companies’ network security infrastructures for potential ransomware threats, including Black Basta, at our 24/7/365 Security Operations Center. They are ready to respond to incidents at a moment’s notice. Our IT remediation team works to restore companies’ operations, claim their networks by isolating malware, and recover business-critical assets. ShadowSpear Platform, an integrable managed detection and response tool, exposes sophisticated unknown and advanced ransomware threats with comprehensive insights through unparalleled data normalization and visualizations. Additionally, ShadowSpear integrates with IT and security technology providers to enable the correlation of events from firewalls and network devices on a single pane of glass.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.