Cybercrime certainly pays: An infamous ransomware group has received at least $107 million in Bitcoin payments since early 2022, researchers say.
Black Basta, a Russian-speaking ransomware gang, received payments from 90+ victims, according to blockchain tracking firm Elliptic and cybersecurity insurance provider Corvus.
The findings underscore how paying ransomware gangs can fuel and enrich the hackers behind the attacks. Elliptic says Black Basta's victims include outsourcing firm Capita, industrial equipment provider ABB, and Dish Network, which has suggested it paid the ransom.
It’s been long known that individual ransom demands from hackers can reach in the millions. But tracking them all, and for specific gangs, can be difficult. The cybercriminals will not only use different cryptocurrency wallets for each ransom demand, they’ll also attempt to hide and conceal the funds through various laundering services.
However, Elliptic found a way to track all the ransom payments to Black Basta by identifying “unique patterns in the group’s activity, [which] allowed us to identify a large number of Bitcoin ransoms paid to the group, with high confidence,” the company said.
(Credit: Elliptic)“The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million,” Elliptic added. “The average ransom payment was $1.2 million.”
Still, the $107 million only captures part of Black Basta’s total earnings. Elliptic and Corvus estimate the gang has attacked 329 organizations globally, most of them based in the US. That said, only about 115 victims likely paid the ransoms.
(Credit: Elliptic)Like other ransomware gangs, Black Basta uses a "double extortion" tactic to pressure victims to pay them: First, the group will encrypt entire fleets of computers, shutting them down. At the same time, the gang will also steal sensitive data and threaten to leak it online unless the ransom is paid.
To attack victims, Black Basta previously used computers already infected with the Qakbot malware to launch their ransomware infections. But in August, the FBI announced it had dismantled the Qakbot infrastructure, which likely dealt a blow to Black Basta’s operations.