A Russian-Speaking Ransomware Group Makes Over $100m in Bitcoin Ransoms
A new analysis conducted by Corvus Insurance using the Elliptic Investigator blockchain forensics tool has revealed that a prolific Russian-speaking ransomware group, known as Black Basta, has made over $100 million from dozens of victims since April 2022.
Key Findings:
- Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims.
- The largest ransom payment received was $9 million, with at least 18 ransoms exceeding $1 million.
- The average ransom payment was $1.2 million.
Corvus Insurance noted that these figures are likely a lower bound, as there may be additional ransom payments made to Black Basta that have not been identified yet.
Links to Other Cyber Criminal Groups:
The analysis also uncovered links between Black Basta and other cyber criminal groups, including Conti ransomware and Quakbot malware.
- Black Basta is believed to be an offshoot of Conti, with significant crossover in targeted sectors such as manufacturing, construction/engineering, wholesale/retail, financial services, and transportation and logistics firms.
- Several million dollars’ worth of Bitcoin from Conti-linked wallets were traced to wallets associated with Black Basta.
- Quakbot, which infects victim machines through phishing emails, is often used to deploy Black Basta.
Corvus Insurance highlighted that there is a visible link between the groups on the blockchain, with portions of some victims’ ransoms being sent to Quakbot wallets. Approximately 10% of the ransom amount was forwarded to Quakbot in cases where they were involved in providing access to the victim.
Furthermore, a multinational law enforcement operation disrupted Quakbot in August 2023, which may explain a marked reduction in Black Basta attacks in the second half of 2023.
Overall, the analysis sheds light on the operations of Black Basta and its connections to other cyber criminal groups, providing valuable insights into the evolving landscape of ransomware attacks.