According to Microsoft’s annual report on the state of cybersecurity threats around the world, France is the eighth most targeted country by Russian cybercriminals. The study shows an increase in cyberattacks, particularly against Ukraine and NATO member countries. Among the main Russian cybercriminal groups is Black Basta.
Evolution of the cybercriminal ecosystem
According to Microsoft’s annual report on the state of the threat, “Digital Defense”, there has been a 25% increase in the number of cyberattacks by Russian malicious actors over the past year. In fact, every day, Microsoft claims to block 4.5 million attempts to deploy malware.
Microsoft reports that cybercriminals are making more frequent use of various artificial intelligence (AI) tools, particularly to automate phishing methods and develop malware capable of constantly adapting to technological developments.
Despite this, the methods used by malicious ransomware groups have not changed much, as they continue to focus their attacks on public services that have a direct and immediate impact on people’s lives, such as hospitals.
From Conti to Black Basta : the continuity of a cybercriminal empire
Conti was a ransomware-as-a-service (RaaS) group considered one of the most powerful and aggressive in the cybercriminal ecosystem, active between 2019 and 2022. The Conti Group suffered leaks in 2022 and was eventually dismantled internally. However, Conti members moved on to new groups such as Black Basta.
Black Basta is a ransomware-as-a-service (RaaS) group that appeared publicly in 2022. It quickly made a name for itself through numerous targeted attacks against businesses and even healthcare institutions.
Since 2024, Black Basta ransomware has significantly stepped up its criminal activity. In particular, cybercriminals encourage their victims to install remote access tools and malware specifically designed for data theft in order to facilitate the distribution of Black Basta ransomware.
In February 2025, Black Basta found itself exposed to a leak from its chat server containing approximately 13 months of communication: in total, more than one million internal messages from the group were made public, revealing files detailing various exploitable information about the Black Basta group’s operations, such as how they work with phishing templates and even links to potential targets.
In pursuit of cybercriminals : reveal of “Group 78,” a secret unit
In November 2024, European police officers and magistrates gathered at Europol headquarters in The Hague with the aim of coordinating the international investigation into the Russian cybercriminal group Black Basta. This investigation, dubbed Operation Kratos, is led by the Joint Cybercrime Action Taskforce (J-CAT), an international unit specializing in the fight against cybercrime, bringing together experts from various Europol member and partner countries.
However, during the meeting, the Federal Bureau of Investigation (FBI) creates a surprise by introducing a mysterious American unit previously unknown to Europeans: “Group 78.” According to information revealed by the newspapers Le Monde and Die Zeit, “Group 78” is a secret task force of the US government tasked with neutralizing Black Basta.
This mysterious group’s strategy is twofold: to carry out actions in Russia to make life impossible for Black Basta members and force them to leave the country, making them more vulnerable to arrest warrants, and to manipulate the Russian authorities into ending their protection of the cybercriminal group.
However, this approach is considered very aggressive, as some European investigators fear that “Group 78” may carry out illegal or violent actions, compromising ongoing judicial investigations. Magistrates point out that only strict compliance with judicial procedures can ensure a sustainable and legitimate fight against cybercrime.
So why was this group founded? Which federal agencies is it linked to? Why take the risk of disrupting European judicial investigations? “Group 78” is shrouded in mystery and the FBI refuses to comment. The existence of Group 78 and its offensive strategy can be explained by the difficulties encountered by the authorities in apprehending the worst cybercriminals through judicial mechanisms alone. Indeed, when they are identified, they are often protected by the Russian state.
Today, the investigation into Black Basta continues, but the involvement of “Group 78” in international cooperation has left its mark and raised an essential question: how far can we go to fight cybercriminals without crossing the line of the law?
Sources :
- https://www.lemonde.fr/pixels/article/2025/10/16/revelations-sur-le-group-78-une-unite-secrete-americaine-chargee-de-la-lutte-contre-les-cybercriminels_6647096_4408996.html
- https://www.zeit.de/digital/2025-10/ransomware-blackbasta-fbi-bka
- https://cyberveille.esante.gouv.fr/actualites/rancongiciel-black-basta-evolution-du-mode-operatoire-de-lattaque-2024-12-17
- https://www.cloudflare.com/fr-fr/cloudforce-one/research/black-bastas-blunder-exploiting-the-gangs-leaked-chats/
- https://conseilscyber.fr/blog/blackbastagpt-l-ia-decrypte-les-secrets-d-un-gang-de-ransomware
- https://www.usine-digitale.fr/article/la-france-est-le-huitieme-pays-le-plus-cible-par-les-cybercriminels-russes.N2239793
- https://www.europol.europa.eu/how-we-work/services-support/joint-cybercrime-action-taskforce
