Black Basta, a ransomware campaign thought to be the brainchild of people linked to the infamous Conti malware gang, has been paid more than $100 million in the past year and a half, infecting 329 known victims.
According to a report published this week by blockchain analytics firm Elliptic, the Black Basta ransomware has attacked targets in a pattern similar to that of the Conti gang, both in terms of regionality and industry. Nearly two-thirds of Black Basta’s attacks have been against US companies, and, like Conti, manufacturing, engineering and construction and wholesale/retail businesses have been the most common targets. Other industries were also targeted, however, including law firms, real estate offices, and more besides.
Elliptic, in concert with Corvus Insurance, researched the blockchain connections between cryptowallets used to accept Bitcoin ransom payments, and discovered distinctive patterns. This, the report said, allowed the researchers to identify more than 90 ransom payments to Black Basta, which averaged $1.2 million each. They identified a total of $107 million in payments to the group.
The report noted that this figure is likely to be a “lower bound,” however, given the likelihood of payments that they were unable to identify. The two highest-profile victims are Capita, a tech outsourcing firm with huge UK government contracts, and industrial automation company ABB.
The report notes that neither company has disclosed any ransom payments. Capita did not immediately reply to requests for comment; ABB acknowledged in a statement that it experienced a “security incident,” but did not specify whether the incident involved ransomware.
“In May 2023, ABB became aware of an IT security incident impacting certain company IT systems. As a result of the incident, ABB started an investigation, notified certain law enforcement and data protection authorities, and worked with leading experts to determine the nature and scope of the incident,” according to an ABB statement sent by its media relations head. “ABB also took steps to contain the incident and further enhance the security of its systems. Based on its investigation, ABB determined that an unauthorized third-party accessed certain ABB systems and exfiltrated certain data. The company is working to identify and analyze the nature and scope of affected data, and is further assessing its notification obligations.”