Researchers have discovered that since the Black Basta ransomware gang first surfaced early last year, victims of its double-extortion attacks have paid the gang more than $100 million.
With the haul, which included taking over $1 million from at least 17 victims and $9 million from one victim, the Russian-affiliated gang is now among the highest-ranking ransomware operators.
Blockchain analytics startup Elliptic and cyber insurance provider Corvus claimed in a joint research post published on November 29 that Black Basta had targeted at least 329 organisations and had received payments totaling at least $107 million from over 90 victims. The researchers said that based on the number of victims in the 2022–2023 period, the gang was the fourth most active strain of ransomware.
“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” the researchers explained.
In June, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory stating that LockBit, a "prolific" rival gang, had received $91 million from victims in the United States between early 2020 and mid-2023, which puts the group's earnings into perspective.
This year, Black Basta has taken down major victims such as ABB, a Swiss technology company, Capita, a British outsourcing company, and Dish Network.
The gang is thought to have split off from the Conti Group, a notorious ransomware operator that disbanded last year. It employs double-extortion techniques, stealing confidential information from victims, encrypting their networks, and threatening to release the data if a ransom isn't paid.
Qakbot malware was frequently used to spread the Black Basta ransomware.
According to the Elliptic and Corvus report, Qakbot's botnet was taken down by authorities in August, which could account for the notable decline in Black Basta attacks in the second half of the year.
Elliptic researchers discovered links between Black Basta and Qakbot on the Bitcoin blockchain, with parts of ransoms paid to Black Basta being transferred to Qakbot wallets.
“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers added. “Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”