Anyone who wonders why the threat of ransomware continues to grow need only to take a look at Black Basta, the prolific extortion gang that last year likely rose from the ashes of the high-profile Russian group Conti.

Black Basta has raked in at least $107 million in ransom payments in Bitcoin since early 2022 and become the fourth largest ransomware strain based on the number of victims over the past years. The threat group has collected at least 329 victims during that time, according to a study by blockchain analytics company Elliptic and cyber-insurance firm Corvus.

Most of the ill-gotten gains by the group have been funneled to Garantex, a four-year-old Russian crypto exchange that was sanctioned by the U.S. Treasury Department in 2022 for laundering more than $100 million from cybercrime organizations or the dark web marketplaces, including almost $6 million from Conti.

Black Basta, which is a ransomware and a ransomware-as-a-service (RaaS) operation, uses double-extortion techniques against its victims, first stealing files before launching the ransomware on the victims’ systems to encrypt the data. The group then threatens to make the sensitive data if the ransom isn’t paid, putting more pressure on the company to meet the ransom demands.

The Bitcoin Rolls In

According to the report, the $107 million in ransom payment came from more than 90 of the companies the threat group infected, with the largest payment being $9 million and at least 18 reaching more than $1 million. The average payment was $1.2 million, Elliptic and Corvus wrote.

The number of victims listed on Black Basta’s leak site through the third quarter indicates that at least 35% of known victims paid a ransom. Ransom recovery firm Coveware reported earlier this year that in 2022, 41% of all ransomware victims paid the ransom, a significant drop from 76% three years earlier.

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” Ellitpic and Corvus wrote. “Due to the overlap between the groups, some of these payments may also relate to Conti ransomware attacks.”

The Black Basta operator seems to take about a 14% cut of the ransom payments collected when using the ransomware.

Links With Conti

Elliptic and Coveware also were able to show links between Black Basta and Conti, which started its RaaS operations before falling apart after a series of data leaks and its support of Russia’s illegal invasion of Ukraine. There also were other pressures, including the U.S. State Department offering a $15 million reward for information on Conti’s leaders.

After Conti dissolved in May 2022, it splintered into other groups, including Black Basta. The threat actor ramped up operations quickly, attacking 19 prominent enterprises and more than 100 victims in its first few months, according to cybersecurity firm Sectrio.

The companies noted that “Black Basta’s victimology closely resembles that of the Conti ransomware group, both with an overlapping appetite for many of the same industries.” Those sectors include manufacturing, engineering and construction, retail, and financial services.

Almost 62% of the victims were in the United States, with Germany a distant second at almost 16%.

By analyzing Black Basta’s crypto transactions, Elliptic and Coveware were able to find more connections with Conti.

“In particular, we have traced bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator,” they wrote. “This further strengthens the theory that Black Basta is an offshoot or rebrand of Conti.”

They also noted the use by Black Basta of the Garantex crypto exchange, which also was favored by Conti.

Extensive Lineup of Victims

Black Basta’s lineup of victims include the American Dental Association, the Toronto Public Library, and Yellow Pages Canada. Elliptic and Corvus also pointed to Capita, a tech outsourcer with billions of dollars in UK government contracts, and ABB, an industrial automation company with more $29 billion in revenues. Neither have said whether they paid the ransom, the researchers said.

The researchers noted that Qakbot malware, which infected target computer through phishing attacks, was often used by bad actors to deliver Black Basta ransomware, a link that Elliptic and Corvus saw on the blockchain. About 10% of the ransom collected to victims went to Qakbot in cases where the malware was involved.

The FBI and other law enforcement agencies around the world shut down Qakbot’s infrastructure in late August, disrupting its operations, which the researchers said could explain a marked reduction in Black Basta attacks in the second half of this year.

Still, “Black Basta has shown resilience despite the takedown of Qakbot, therefore, defenders should not write Black Basta off as an insignificant threat,” the Elliptic and Corvus researchers wrote.