Researchers say Russia-linked ransomware group has raked in more than $100 million

By Raphael Satter

WASHINGTON (Reuters) – A cyber extortion gang suspected of being an offshoot of the notorious Russian Conti group of hackers has raked in more than $100 million since it emerged last year, researchers said in a report published on Wednesday.

Digital currency tracking service Elliptic and Corvus Insurance said in a joint report that the ransom-seeking cybercrime group known as “Black Basta” has extorted at least $107 million in bitcoin, with much of the laundered ransom payments making their way to the sanctioned Russian cryptocurrency exchange Garantex.

An attempt to reach Black Basta via its darkweb site was not immediately successful. Garantex, which was sanctioned by the U.S. Treasury in April of last year, did not immediately return a message.

Elliptic cofounder Tom Robinson said the massive haul made Black Basta “one of the most profitable ransomware strains of all time.” He said the researchers came up with the figure by identifying known ransom payments tied to the group and tracing how the digital currency was laundered, which revealed additional payments.

Robinson said the exercise also uncovered movements of several million dollars’ worth of bitcoin from cryptocurrency wallets linked to Conti – a now-defunct ransomware gang – to Black Basta, something he said provided “significant new evidence” that the latter was an offshoot of the former.

Conti used to be among the top ransomware gangs – groups that shake down victims either by encrypting their data and demanding money to unscramble it, by threatening to publish stolen information to the web, or both. The Russia-based group dismantled its leak site after the Kremlin’s full-scale invasion of Ukraine in early 2022 and the posting of U.S. bounties on its leadership that year, but researchers have long suspected the group merely reorganized and rebranded.

“Conti was perhaps the most successful ransomware gang we’ve seen,” Robinson said. The latest findings suggest “some of the individuals responsible are replicating its success with the Black Basta ransomware.”

(Reporting by Raphael Satter. Additional reporting by James Pearson in London. Editing by Gerry Doyle)