Cyber Incident Victim: KFI Engineers

In early February 2023, KFI Engineers, a Minnesota-based engineering firm, experienced a ransomware attack by the Black Basta group. The attackers encrypted company systems and claimed to have exfiltrated 1.1 terabytes of data, which they vaguely classified as "sensitive." Black Basta initially demanded $600,000 to provide decryption tools and prevent data exposure but later reduced this demand to $300,000 during negotiations observed by cybersecurity researcher Marco A. De Felice. According to De Felice's reporting, KFI paid the $300,000 ransom on or around February 11, 2023. While KFI’s client list included schools and hospitals, the engineering firm was noted as unlikely to possess substantial volumes of personal health or educational records. The attackers did not specify what constituted the allegedly stolen "sensitive" data, leaving the precise scope and nature of the breach unclear.

De Felice’s monitoring of Bitcoin wallets associated with Black Basta revealed financial transactions linked to this incident alongside broader criminal activity. Analysis showed that the wallet receiving KFI’s payment also processed approximately $840,000 in additional transactions within three days, including deposits of $98,158 and $603,184 on February 14. Further investigation traced cumulative deposits totaling $34.1 million in Bitcoin between mid-January and mid-February 2023 across just two of the group’s wallets, suggesting extensive ransom payments from multiple victims. This financial tracking highlighted how ransom payments fund ongoing cybercriminal operations. Separately, unconfirmed reports indicated KFI might have suffered a prior cyberattack in December 2021 by a group called BlackBytes, though details about that incident’s resolution or any ransom payment remain undocumented. Black Basta’s ransom note threatened data disclosure, but as of February 21, 2023, no public confirmation existed regarding whether the group honored its post-payment deletion promises or leaked KFI’s data.