November 30, 2023 at 09:42AM
Since early 2022, the Black Basta ransomware group has extorted over $100 million from victims. Linked to the defunct Conti group, Black Basta employs double extortion tactics, targeting diverse industries, primarily in the US. Analysis by Elliptic ties them to Conti and shows a significant portion of victims pay ransoms, with $107 million traced.
Meeting Takeaways:
1. Financial Impact:
– Victim organizations have paid over $100 million in ransoms to Black Basta since early 2022.
2. Group Activity:
– Black Basta has been active since at least April 2022.
– Responsible for 300+ infections, ranking as the fourth-most active ransomware by victim count.
– Has ties to the defunct Conti ransomware group.
3. Tactics and Impact:
– Employs double extortion tactics, including file encryption and data theft with a threat of public release.
– Linked to high-profile attacks on Capita, ABB, Thales, Rheinmetall, and Maple Leaf Foods.
4. Financial Tracing:
– Elliptic has analyzed blockchain transactions that indicate possible connections to Conti.
– Blockchain evidence suggests Black Basta has collected at least $107 million across more than 90 victims.
5. Victim Demographics:
– Targets various industries, notably construction (10%), law (4%), and real estate (3%).
– Predominantly targets US-based businesses (61.9%), with German firms the next most affected (15.8%).
6. Ransom Payments:
– About 35% of victims have paid a ransom.
– Largest known ransom is $9 million, with at least 18 ransoms over $1 million.
– The average ransom payment is $1.2 million.
7. Financial Relationships:
– Proceeds linked to Qakbot malware operators, indicating a business relationship.
– Black Basta operators typically keep 14% of ransom payments, indicative of ransomware-as-a-service practices.
8. Additional Notes:
– Payments might change due to recent or undetected transactions.
– Payments might be mistakenly attributed to Conti due to overlapping activities.
– Related reports indicate an increase in ransomware attacks on industrial organizations and identify associations with other cybercrime groups like FIN7.