Key takeaways

• Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022.
• Black Basta has infected over 329 victims, including Capita, ABB and Dish Network.
• Analysis of blockchain transactions shows a clear link between Black Basta and the Conti Group - a Russian ransomware gang that ceased operations in 2022, around the time that Black Basta emerged.
• Much of the laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange.

Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023. The group employs double-extortion tactics whereby they extort the victim by threatening to publish stolen data unless the victim pays a ransom.

Researchers have suggested that Black Basta may be an offshoot of the Conti Group, one of the most prolific ransomware gangs of the past few years. Leaks of Conti’s online chats hinted at its links to the Russian government and its support for the invasion of Ukraine, before the group dissolved in May 2022.

Black Basta targets businesses in a wide variety of sectors including construction (10% of victims), law practices (4%) and real estate (3%). In fact, Black Basta’s victimology closely resembles that of the Conti ransomware group, with an overlapping appetite for many of the same industries.

Black Basta has largely focused on US-based organizations, accounting for 61.9% of all victims, followed by Germany at 15.8%.

High-profile victims include Capita, a technology outsourcer with billions of dollars in UK government contracts, and industrial automation company ABB, which has revenues of over $29 billion. Neither company has publicly disclosed whether they paid a ransom.