Wednesday, December 11, 2024
banner


Key takeaways

  • A joint investigation by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022.
  • Black Basta infected over 329 victims, including Capita, ABB and Dish Network.
  • Analysis of blockchain transactions shows a clear link between Black Basta and the Conti Group – a Russian ransomware gang that ceased operations in 2022, around the time Black Basta appeared.
  • Much of the laundered ransom payments can be traced back to Garantex, a sanctioned Russian crypto exchange.

Black Basta is a Russian-linked ransomware that emerged in early 2022. It was used to attack more than 329 organizations worldwide and became the fourth most active ransomware strain in terms of victims in 2022-2023. The group uses a double extortion tactic where they extort the victim by threatening to release the stolen data unless the victim pays a ransom.

Researchers have suggested that Black Basta may be an offshoot of the Conti Group, one of the most prolific ransomware gangs of recent years. Leaks of Conti’s online chats hinted at that links the Russian government and its support for the invasion of Ukraine, before the group disbanded in May 2022.

Blackbasta_23_Graf-01_V3

Victims of the Black Bast, by sectors and countries. (Data from the Black Bast leak site)

Black Basta targets companies in a wide range of sectors, including construction (10% of victims), law practice (4%) and real estate (3%). In fact, Black Baste’s victimology closely resembles that of the Conti ransomware group, with an overlapping appetite for many of the same industries.

Black Basta mainly focused on US-based organizations, accounting for 61.9% of all victims, followed by Germany with 15.8%.

High-profile victims include Capita, a technology outsourcer with billions of dollars in UK government contracts, and industrial automation company ABB, which has revenues of more than $29 billion. Neither company has publicly announced whether they have paid the ransom.

Identifying the Black Bast ransom payment

Despite the transparency of the blockchain, it can be challenging to identify ransom payments made in cryptocurrency. First, ransomware groups rarely use a single wallet to receive payments, and victims rarely share details about the wallet they paid the ransom into. This can make it difficult to track the activities of a ransomware group on a large scale. Second, these groups also use complex money laundering techniques to cover their blockchain tracks and conceal the illicit source of their earnings.

However, our analysis of verified Black Bast cryptocurrency transactions using our crypto research tool – Elliptic Investigator – revealed unique patterns in the group’s activities. This allowed us to identify a large number of bitcoin ransoms paid to the group, with high confidence.

Our analysis shows that since the beginning of 2022, Black Basta has received at least $107 million in ransom for more than 90 victims. The largest ransom payment received was $9 million, and at least 18 ransoms have exceeded $1 million. The average ransom payment was $1.2 million.

It should be noted that these figures are a lower bound – there are likely to be other Black Basti ransom payments that our analysis has yet to identify – particularly in relation to recent victims. Due to the overlap between the groups, some of these payments may also relate to the Conti ransomware attacks.

Blackbasta_23_Graf-02_no_title

Number of reported Black Bast attacks and paid ransoms per month. The timing of ransom payments correlates reasonably well with the timing of attacks, with peaks in payouts following attack peaks. The drop in payments in Q1 2023 corresponds to the period when the Black Basta registered have operations paused.

Based on the number of known victims listed on the leaked Black Bast location through the third quarter of 2023, our data shows that at least 35% of known Black Bast victims have paid the ransom. This is consistent with reports that 41% of all ransomware victims paid the ransom in 2022.

Blackbasta_23_Graf-03_no_title

Number of reported Black Bast attacks and paid ransoms per month. The timing of ransom payments correlates reasonably well with the timing of attacks, with peaks in payouts following attack peaks.

Disclosure of Black Baste’s financial connections

The Qakbot malware – which infects victims’ computers via email phishing attacks – was commonly used to deploy the Black Basta ransomware. This connection between the groups is also visible on the blockchain, with parts of some victims’ ransoms being sent to Qakbot wallets.

These transactions show that approximately 10% of the ransom amount was passed to Qakbot, in cases where they were involved in providing access to the victim. Qakbot was disturbed in August 2023 by a multinational law enforcement operation – perhaps explaining the significant reduction in Black Bast attacks in the second half of 2023.

The Black Bast operator appears to take an average of 14% of the ransom payments. This is a typical division seen in ransomware-as-a-service operations.

Our analysis of Black Baste’s crypto transactions also provides new evidence of their links to the Conti Group. Specifically, we tracked several million dollars worth of Bitcoin from wallets linked to Conti to those linked to the Black Basta operator. This further strengthens the theory that Black Basta is an offshoot or rebrand of Conti.

basta invA screenshot from Elliptic Investigator, showing the transactional connections between Conti, Qakbot, and Black Baste.
 

The Elliptic Investigator also provides insight into how the ransom payments are laundered, with the group’s proceeds worth $1 million being sent to Garantex, a Russian cryptocurrency exchange. Garantex was sanctioned by the US government in April 2022 for its role in laundering the proceeds of darknet markets and ransomware gangs like Conti.

Leveraging insights into Black Baste’s crypto activity

This research provides important information about the cryptocurrency wallet infrastructure used by one of the world’s most prolific ransomware gangs. This information can be used in two key ways:

  1. Cryptocurrency exchanges can use transaction verification tools such as Elliptic Navigator to identify all customer deposits originating from Black Bast wallets. In this way, they can help prevent money laundering, as well as provide timely intelligence to the police.
  2. Law enforcement agencies can “follow the money” using blockchain forensics tools like Elliptic Investigator to help potentially seize assets and identify those responsible.

Do you find this interesting? Share on your network.



banner
crypto & nft lover

Johnathan DoeCoin

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar.

Follow Me

Top Selling Multipurpose WP Theme

Newsletter

banner

Leave a Comment

crypto & nft lover

John DoeCoin

Learn all about cryptocurrency and NFT, we publish news and interesting fauths from the world of crypto.

@2022 u2013 All Right Reserved. Designed and Developed by Evegal.com