Southern Water neither confirms nor denies offering Black Basta a $750,000 ransom payment following its ransomware attack in 2024.
The Register asked the utility company – which oversees water and wastewater services across the South of England and Isle of Wight – about the alleged ransom offer after it was included in last week’s leaked internal Black Basta chats.
A Southern Water spokesperson dodged the question: “As soon as we became aware, over a year ago, of an illegal intrusion affecting our IT systems (not affecting our operations or services to customers), we informed all relevant bodies, including NCSC and Defra. We and our advisers worked closely with NCSC throughout the incident.”
The leaked chats indicate Black Basta demanded $3.5 million from Southern Water following the January 2024 attack. According to the chat logs, the demands were initially ignored by the utility company before being shot down entirely.
“Hello. I discussed your offer with the Board, and as I expected, your current demand is still too steep for us to even consider,” the chat logs read. “Contrary to your assertions, we’re not the largest UK water source provider and we only operate in specific parts of South East England. We’re also a privately owned utilities company with far fewer than one hundred regulators operating only on a national level. Therefore, we’re prepared to face whatever challenges may come as a result of this incident. However, we also understand that there may still be a benefit in paying you.
“Having said that, the Board is ready to increase our numbers to show you that we’re taking this negotiation seriously and hope to reach an agreement with you sooner rather than later. We’re now offering to pay you **$750,000** in exchange for a speedy resolution of this incident. If this works for you, we’ll be happy to proceed further with next steps. So, please let me know.”
Scouring the chats, it’s unclear whether the alleged offer was accepted. The leaked messages appear to only pertain to a chat room populated by Black Basta members.
Sometimes, like in the above case, messages between victims and extortionists would be posted to the chat room for discussion, but full chats between Black Basta and victims are not included in the leaked data.
The logs indicate Southern Water sent the message on February 12, 2024, and there was no other mention of the company for two weeks, at which point “GG,” the assumed head of the ransomware operation, messaged: “southernwater.co.uk – removal log.”
A user named “Tinker” also said on March 19, 2024: “southernwater.co.uk – These have already paid, remember?”
The information was gleaned using a combination of HudonRock’s BlackBastaGPT tool and The Register’s manual translation of the raw chat data which our sources sent our way.
It quickly became apparent that the responses of BlackBastaGPT were in many cases hallucinated or at least confused. When looking into its results for the Southern Water exchanges, it routinely regurgitated chat extracts from other victims, and in some cases fabricated content that didn’t exist.
Cheeky leaks
With the previous information still standing, using BlackBastaGPT to draw any firm conclusions about the gang should be taken with a pinch of salt and verified using the raw data.
However, infosec watchers have been tinkering with the tool since its launch on Friday, unearthing insights that could be both useful and amusing.
The tool can be used to learn about spats between group members, such as affiliates and higher-ranking members feeling as though they were being underpaid. In some cases, affiliates earned an approximate 20 percent cut of ransom payments, whereas at rival operations they could expect cuts of up to 80 percent.
The log can also reveal the ways in which Black Basta attacks would unfold, common entry points, and social engineering tactics.
Undocumented goals of attacks were hinted at in some cases too, such as the amount of data affiliates are instructed to exfiltrate before encrypting victims.
One member, “Ugway,” believed to be a social engineering specialist for the crew, was only able to extract “30-40 GB” from one victim, to which GG responded: “That is not enough. Very little… Here you need to pump 1 TB… How green you are still.”
Our reporting of the Southern Water incident at the time noted that the utility company had around 750 GB worth of data exfiltrated, which seems to align with the excerpt. ®