Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

The Black Basta ransomware group has reportedly generated upwards of $100 million in revenue since it started operations in April 2022.

Joint research from Corvus Insurance and blockchain analysis company Elliptic estimates the crew has scooped up at least $107 million in criminal proceeds after analyzing payments made to its known cryptocurrency wallet addresses.

Black Basta is believed to be a ransomware offshoot of the former Conti group, assembled before its closure in May 2022. The group is thought to be comprised, at least in part, of former Conti members and first emerged in April 2022.

Since Black Basta spun up, the research indicates that at least 90 of its total number of victims, which tops 300 to date, have paid the criminals' ransom demands.

The biggest single-ransom sum received was $9 million while at least 18 others exceeded $1 million, averaging $1.2 million across them all.

"It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims," the researchers said

"Due to the overlap between the groups, some of these payments may also relate to Conti ransomware attacks."

Earlier signs of the gang's existence were spotted in February 2022 as malware samples have been found to date back to February 17. The infamous "Conti leaks" saga, which led to the group's shutdown, began on February 27.

Putting the mal in malware

The group's namesake ransomware kit was named by Microsoft as the joint-second most successful human-operated variant of the year, being used in 14 percent of successful breaches. It's the same rate of success as AlphV/BlackCat's and just 2 percent behind first-placed LockBit.

Black Basta's most high-profile attack of the year was unquestionably the breach of London-based outsourcing group Capita, an incident that has prompted thousands to sign up for a class action lawsuit against it. 

Capita also admitted the clean-up costs associated with the attack may be in the region of £25 million ($31.6 million).

Analysis of Black Basta's leak site suggests that around 35 percent of its victims paid the ransom demands the criminals set – a little less than the agreed-upon industry average.

Varying figures exist for the average rates at which ransomware victims end up paying the criminals, although they are all in a similar range. 

Cleveland-based law biz BakerHostetler pegged the rate of payments at around 40 percent earlier this year. Coveware's data from 2022 similarly indicated the rate is at 41 percent, as did Chainalysis' figures in January.

Black Basta's payment rate is broadly in line with the average, then, and there remains a possibility that this week's research may not have accounted for the victims that never appeared on the leak site due to paying early on after the attack. 

Having news of your org's attack posted to a ransomware group's leak site is one of many pressure tactics in a ransomware criminals' playbook, an early-stage move to prompt an organization into action. It's often followed by threats to leak stolen data, leaking data gradually, and in some recent staggering cases, reports made to regulators.

Breaking down the group's payments, the researchers found that in many cases the Qakbot botnet-cum-malware loader was used to deploy Black Basta malware. 

In cases where Qakbot was a precursor for Black Basta deployment, 10 percent of any profits made from an attack would go to Qakbot's operators.

Qakbot was disrupted by Feds earlier this year and researchers from Corvus and Elliptic said the takedown may have led to the marked slowdown in Black Basta activity during H2 2023.

Analysis of payments also indicated that the core team behind Black Basta typically collected around 14 percent of all ransom payments, a share that's typical of most ransomware-as-a-service operations, the researchers said. ®

More about


Send us news

Other stories you might like