Black Basta ransomware payments exceed $100M since 2022

The Black Basta ransomware gang accrued more than $107 million in ransom payments from more than 90 victims over the past year and a half, according to new research from Corvus Insurance and blockchain analytics vendor Elliptic.

The joint research was documented in blog posts Wednesday from Corvus and Elliptic. Using blockchain analysis, the research shed light on Black Basta ransom payment amounts, the number of victims and the top targeted sectors. The vendors also confirmed reports that linked Black Basta to the notorious Conti ransomware group, which disbanded around May 2022.

The vendors acknowledged that while the concept of blockchain is transparent, ransomware groups are skilled at obfuscating their tracks. Corvus and Elliptic described operators' laundering techniques as "complex" and said ransomware groups rarely use a single cryptocurrency wallet to receive payments. The illicit funds might be rerouted through multiple wallets to make it more difficult for law enforcement to track them. Lack of transparency from victims also makes it hard to gather wallet details, the companies said.

While difficult, the vendors traced illicit activity to provide further insight on the "fourth-most active strain of ransomware by number of victims in 2022-2023." After emerging in 2022, Black Basta showed how dangerous it could be by claiming more than 329 victims, including Capita, ABB and Dish Network. Dish apparently paid the ransom demand after suffering an outage.

"Based on the number of known victims listed on Black Basta's leak site through Q3 of 2023, our data indicates that at least 35% of known Black Basta victims paid a ransom. This is consistent with reports that 41% of all ransomware victims paid a ransom in 2022," the companies wrote in the report.

Blockchain analysis indicates that Black Basta received at least $107 million in ransom payments since early 2022 spread out across more than 90 victims. Operators took an average of 14% of the ransom payments, which Corvus and Elliptic said is typical of ransomware-as-a-service operations.

According to the research, the largest ransom payment Black Basta received was $9 million, and the average payment was $1.2 million. At least 18 of the ransoms exceeded $1 million.

Ryan Bell, Corvus' threat intelligence manager, was most surprised by the sheer monetary impact of the Black Basta ransomware group.

"It's quite an achievement for any legitimate company to make $100M in revenue, but here we see a gang of cybercriminals able to do it in roughly a year and a half. As just one among dozens of active ransomware groups, this research gives us a 'tip of the iceberg' view on just how large the financial impact of ransomware is," Bell said in an email to TechTarget Editorial.

However, the true numbers for Black Basta are likely much higher than the numbers cited in the research. Elliptic said the figures don't account for the most recent Black Basta ransom payments. Due to Black Basta and Conti's overlapping timeline, it was also difficult for the vendors to determine if some of the payments were related to Conti ransomware attacks.