Conti-linked ransomware takes in $107 million in ransoms: Report

Black Basta, a ransomware campaign thought to be the brainchild of people linked to the infamous Conti malware gang, has been paid more than $100 million in the past year and a half, infecting 329 known victims.

According to a report published this week by blockchain analytics firm Elliptic, the Black Basta ransomware has attacked targets in a pattern similar to that of the Conti gang, both in terms of regionality and industry. Nearly two-thirds of Black Basta’s attacks have been against US companies, and, like Conti, manufacturing, engineering and construction and wholesale/retail businesses have been the most common targets. Other industries were also targeted, however, including law firms, real estate offices, and more besides.

Elliptic, in concert with Corvus Insurance, researched the blockchain connections between cryptowallets used to accept Bitcoin ransom payments, and discovered distinctive patterns. This, the report said, allowed the researchers to identify more than 90 ransom payments to Black Basta, which averaged $1.2 million each. They identified a total of $107 million in payments to the group.

The report noted that this figure is likely to be a “lower bound,” however, given the likelihood of payments that they were unable to identify. The two highest-profile victims are Capita, a tech outsourcing firm with huge UK government contracts, and industrial automation company ABB. (The report notes that neither company has disclosed any ransom payments. The companies did not immediately reply to requests for comment.)

Black Basta is primarily distributed via the Qakbot malware, which works through email phishing  campaigns. The researchers said that percentage payments were apparently made to both the “operators” of Black Basta — suggesting that this is a ransomware-as-a-service endeavor — and that similar payments went to Qakbot for that group’s participation in the attacks.

The disruption of the Qakbot network, in August, may help explain a “marked reduction” in Black Basta attacks in recent months, according to the report, which also found evidence of links between cryptowallets used in Black Basta payments and those of the Conti gang, a Russia-based cybercrime organization thought to be linked to that country’s government.

The researchers also hypothesize that the ransom payments are being laundered through the Russian cryptocurrency exchange known as Garantex. They note that Garantex was sanctioned in April 2022 by the US government for doing business with marketplaces using the darknet — an internet network overlay that allows connections to be made only among trusted peers using non-standard protocols and ports — and ransomware gangs.


Go to Source