Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022.
Black Basta has infected over 329 victims, including Capita, ABB, and Dish Network.
Analysis of blockchain transactions shows a clear link between Black Basta and the Conti Group - a Russian ransomware gang that ceased operations in 2022, around the time that Black Basta emerged.
Much of the laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange.
Black Basta Overview
Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023. The group employs double-extortion tactics whereby they extort the victim by threatening to publish stolen data unless the victim pays a ransom.
Researchers have suggested that BlackBasta may be an offshoot of Conti Group, one of the most prolific ransomware gangs of the past few years. Leaks of Conti’s online chats hinted at its links to the Russian government and its support for the invasion of Ukraine, before the group dissolved in May 2022.
Black Basta targets businesses in a wide variety of sectors including construction (10% of victims), law practices (4%) and real estate (3%). In fact, Black Basta’s victimology closely resembles that of the Conti ransomware group, both with an overlapping appetite for many of the same industries.
Black Basta has largely focused on U.S.-based organizations, accounting for 61% of all victims, followed by Germany at 15%.
High-profile victims of Black Basta include Capita, a technology outsourcer with billions of dollars in UK government contracts, and industrial automation company ABB, which has revenues of over $29 billion. Neither company has publicly disclosed whether they paid a ransom.
Identifying Black Basta Ransom Payments
Despite the transparency of blockchains, it can be challenging to identify ransom payments made in cryptocurrency. First, ransomware groups rarely use a single wallet to receive payments, and victims rarely share details of the wallet they have paid ransoms to. This can make it difficult to track a ransomware group’s activity at scale. Second, these groups also employ complex laundering techniques to cover their blockchain tracks and conceal the illicit source of their profits.
However, our analysis of verified Black Basta cryptocurrency transactions using our crypto investigations tool, Elliptic Investigator, has uncovered unique patterns in the group’s activity. This has allowed us to identify a large number of Bitcoin ransoms paid to the group, with high confidence.
Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.
It should be noted that these figures are a lower bound - there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify - particularly relating to recent victims. Due to the overlap between the groups, some of these payments may also relate to Conti ransomware attacks.
The total value of Bitcoin ransoms paid to Black Basta, by quarter. The dip in payments in Q1 of 2023 corresponds to a period when Black Basta is reported to have paused operations.
Based on the number of known victims listed on Black Basta’s leak site through Q3 of 2023, our data indicates that at least 35% of known Black Basta victims paid a ransom. This is consistent with reports that 41% of all ransomware victims paid a ransom in 2022.
The number of reported Black Basta attacks, and ransoms paid, by month. The timing of the ransom payments correlates reasonably well with the timing of attacks, with peaks in payments following peaks in attacks.
Uncovering Black Basta's Financial Links
The Qakbot malware, which infects victim computers through email phishing attacks, was commonly used to deploy the Black Basta ransomware. This link between the groups is also visible on the blockchain, with portions of some victims’ ransoms sent to Qakbot wallets. These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim. Qakbot was disrupted in August 2023 by a multinational law enforcement operation - perhaps explaining a marked reduction in Black Basta attacks in the second half of 2023.
The Black Basta operator appears to take an average of 14% of ransom payments. This is typical of ransomware as a service
Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator. This further strengthens the theory that Black Basta is an offshoot or rebrand of Conti.
A screenshot from Elliptic Investigator, showing transactional links between Conti, Qakbot and Black Basta.
Elliptic Investigator also provides insights into how the ransom payments are being laundered, with millions of dollars worth of the group’s proceeds being sent to Garantex, a Russian cryptocurrency exchange. Garantex was sanctionedby the US government in April 2022 for its role in laundering the proceeds of darknet marketplaces and ransomware gangs such as Conti.
This joint research conducted by Elliptic and Corvus Insurance has shed light on the extent of damage caused by Black Basta ransomware. The analysis of blockchain transactions has revealed a clear link between Black Basta and Conti Group, supporting the possibility of the former being an offshoot of the latter. Black Basta has shown resilience despite the takedown of Qakbot therefore, defenders should not write Black Basta off as an insignificant threat.
E-mail protection and Endpoint Detection and Response (EDR)
Implement robust e-mail protection and EDR. These are crucial given the group’s reliance on infostealers to gain initial access.
Multi-factor Authentication (MFA)
Use MFA wherever possible, particularly for remote access and administrative accounts, to add an extra layer of security against credential theft.
Keep all systems, software, and applications up-to-date with the latest security patches to reduce vulnerabilities.