An investigation of the Black Basta ransomware group by Corvus Insurance and Elliptic has revealed the group obtained at least $107 million in ransom payments from more than 90 victims since April 2022. Black Basta is a Russia-linked ransomware-as-a-service (RaaS) operation, where affiliates are recruited to conduct ransomware attacks for a cut of the profits. The group emerged after the infamous Conti ransomware operation was shut down in June 2022, and the members split into several smaller groups, one of which is believed to be Black Basta.
Black Basta engages in double extortion tactics, where networks are breached, data are stolen, and files are encrypted. The group then requires the payment of a ransom to obtain the keys to decrypt files and also to prevent the stolen data from being leaked online or sold. Initial access was often gained via Qakbot malware, which was delivered via phishing emails. The research indicated around 10% of the ransom amount was provided to QakBot, with the ransomware operator taking around 14% of the ransom payments.
The group certainly hit the ground running, having conducted at least 20 attacks in the first two weeks of operation, which strongly suggests the group had significant experience in conducting ransomware attacks and most likely already had access to the networks of many companies. The group was also not observed recruiting members on cybercriminal forums like other groups, which suggests they already had their affiliates in place or had strong connections to other cybercriminal groups. One of those groups is the Russian FIN7 (Carbanak) hacking group, which has been active since at least 2015.
Since April 2022, Bolack Basta conducted at least 329 attacks and approximately 35% of victims paid the ransom. The largest ransom payment was $9 million, 18 payments were more than $1 million, and the average ransom payment was $1.2 million. Victims include the American Dental Association, Capita, ABB, and Dish Network. Almost 62% of the attacks were conducted on targets in the United States, with manufacturing, engineering/construction, wholesale/retail, and financial services the most attacked sectors – The same sectors that were targeted by Conti.
Tracking ransomware payments was challenging, as RaaS groups rarely use the same wallets to receive payments and the victims often do not disclose the wallets they paid their ransoms to. The group also engaged in complex money laundering schemes to cover their blockchain tracks. However, using the Elliptic Investigator tool, it was possible to identify $107 million in transactions, although the real total is likely to be higher.