Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware

Posted: Nov. 24, 2022 by Interware Team

An "aggressive" Qakbot malware campaign that results in Black Basta ransomware infections on compromised networks has targeted U.S.-based businesses.

According to Cybereason researchers Joakim Kandefelt and Danielle Frankel, "in this most recent campaign, the Black Basta ransomware gang is leveraging QakBot malware to generate an initial point of entry and migrate laterally within an organization's network."

Black Basta, which first appeared in April 2022, employs the time-tested strategy of double extortion to obtain private information from targete

The ransomware group has been spotted utilising Qakbot before (aka QBot, QuackBot, or Pinkslipbot). Similar assaults that involved using Qakbot to distribute the Brute Ratel C4 framework, which was then used to dump Cobalt Strike, were revealed by Trend Micro last month.d businesses and then use it as leverage to demand cryptocurrency payments under fear of disclosing the information.

Brute Ratel C4 is not a factor in the intrusion activity seen by Cybereason; instead, Cobalt Strike is distributed directly on a number of machines in the compromised environment by Qakbot.

The attack chain starts with a spear-phishing email that contains a malicious disc image file. When this file is viewed, it launches Qbot, which in turn establishes a connection with a remote server to download the Cobalt Strike payload.

At this point, operations such as credential harvesting and lateral movement are conducted to install the red team framework on numerous servers. After that, the goal is to compromise as many endpoints as possible using the passwords obtained, and then to release the Black Basta ransomware.

The researchers stated that over 10 distinct customers had been affected by the most recent round of attacks in the last two weeks. "The threat actor got domain administrator rights in less than two hours and advanced to ransomware distribution in less than 12 hours," they added.

In two cases, the Israeli cybersecurity firm discovered that the breaches not only installed the ransomware but also prevented the victims from accessing their networks by turning off the DNS service in an effort to make recovery more difficult.

Black Basta remains a highly active ransomware actor. According to data gathered by Malwarebytes, the ransomware cartel successfully targeted 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.

SHARE THIS ARTICLE