A notorious Russian-speaking ransomware group, known as Black Basta, has reportedly made more than $100 million in ransom payments from numerous victims since April 2022, according to a recent analysis conducted by Corvus Insurance. Utilizing the Elliptic Investigator blockchain forensics tool, the insurance company was able to unveil the illicit activities of the Black Basta group, shedding light on their nefarious operations.
The analysis revealed that Black Basta has received a staggering $107 million in ransom payments from over 90 victims, with the largest single payment amounting to $9 million. Additionally, at least 18 of the ransoms exceeded $1 million, with an average payment of $1.2 million. However, these figures are considered conservative estimates, as there are likely additional ransom payments that have yet to be identified by the analysis.
Black Basta has been linked to both the Conti ransomware group and the Quakbot malware, suggesting a complex web of cybercriminal activities. There are strong indications that Black Basta may have emerged as a successor to Conti, as evidenced by the overlap in targeted industries such as manufacturing, construction/engineering, wholesale/retail, financial services, and transportation and logistics. Furthermore, the analysis traced significant amounts of Bitcoin from Conti-linked wallets to wallets associated with Black Basta.
Moreover, the Quakbot malware, which is commonly distributed through phishing emails, has been frequently used to deploy Black Basta ransomware. Transactions on the blockchain indicate that a portion of the ransom payments was forwarded to Quakbot wallets, suggesting a collaborative effort between the two groups. The disruption of Quakbot in August 2023 by a multinational law enforcement operation may have contributed to a decline in Black Basta attacks in the latter half of the same year.
The intricate connections between Black Basta, Conti, and Quakbot underscore the sophisticated nature of cybercriminal operations in the ransomware landscape. By leveraging blockchain forensics tools, organizations like Corvus Insurance are able to dissect the complex web of ransomware activities and track illicit transactions with a high degree of accuracy. As ransomware attacks continue to pose a significant threat to businesses worldwide, it is imperative for companies to bolster their cybersecurity defenses and remain vigilant against evolving cyber threats.