November 30, 2023 at 08:24AM
Since April 2022, the Black Basta ransomware group has amassed over $107 million, with at least 90 out of 300+ victims paying ransoms. Likely evolved from Conti, the group uses Qakbot for malware deployment and shares typical ransomware-as-a-service payment structures. Its breach of Capita sparked widespread legal action.
Meeting Takeaways:
1. The Black Basta ransomware group has generated an estimated $107 million in criminal revenue since beginning operations in April 2022.
2. This figure results from analyzing payments to the group’s known cryptocurrency wallet addresses, as conducted by Corvus Insurance and Elliptic.
3. Black Basta is believed to be a derivative of the former Conti group, with some members of Conti suspected to be part of Black Basta, which emerged soon before Conti’s closure in May 2022.
4. Research shows that more than 90 out of over 300 victims have paid ransoms to Black Basta.
5. The largest known ransom payment to the group was $9 million, with at least 18 ransom payments exceeding $1 million, and an average of $1.2 million across those higher payments.
6. The cited figures are considered conservative, suggesting actual total payments may be higher, and there might be overlap with Conti-related attacks.
7. Black Basta’s activities were retrospectively identified as early as February 2022, based on malware samples dating back to February 17.
8. Microsoft ranks Black Basta alongside AlphV/BlackCat as the joint-second most successful human-operated ransomware in terms of breach success rates.
9. One of Black Basta’s most notable attacks was on Capita in London, resulting in significant clean-up costs of approximately £25 million ($31.6 million) and a subsequent class action lawsuit.
10. Approximately 35% of Black Basta’s victims have paid ransoms, slightly below the industry average of 40-41% reported by BakerHostetler, Coveware, and Chainalysis.
11. Payment rates could be underestimated due to early payments preventing victim details from appearing on Black Basta’s leak site.
12. Publication of attacks on leak sites is a common tactic used by ransomware groups as an initial pressure tactic, potentially followed by other threats.
13. Qakbot botnet, a precursor for Black Basta malware deployment, entitles its operators to 10% of the ransom profits.
14. Black Basta activity has slowed in H2 2023, possibly due to disruption of Qakbot by authorities.
15. The core Black Basta team typically takes about 14% of all ransom payments, consistent with the ransomware-as-a-service model.
[End of takeaways]