The Black Basta ransomware group is actively targeting U.S.-based companies using QakBot malware to create a first point of entry and move laterally within organizations’ networks. According to reports, several Black Basta infections using QakBot began on November 14, 2022. Here’s what we know.
Black Basta, which emerged in April 2022, specifically targets organizations in the U.S., Canada, United Kingdom, Australia and New Zealand. The group employs double extortion to steal sensitive data from targeted companies, then use it as leverage to extort cryptocurrency payments by threatening to release the stolen information.
QakBot (also called QBot or Pinkslipbot) is a banking trojan first discovered in 2007. The information-stealing malware helps threat actors abscond with financial data, browser information, keystrokes and credentials.
This is not the first time Black Basta has been observed using QakBot. Last month, security researchers also disclosed similar attacks that entailed the use of QakBot to deliver the Brute Ratel C4 framework, and was leveraged to drop Cobalt Strike.
This recent Black Basta intrusion activity cuts out Brute Ratel C4 from the equation, instead using QakBot to directly distribute Cobalt Strike on several machines in the infected environment. The attack chain commences with a spear-phishing email that has a malicious disk image file that kickstarts the execution of QBot, which connects to a remote server to retrieve the Cobalt Strike payload.
Nuspire actively threat hunts for indications of compromise (IoCs) within client environments.
We recommend you implement precautionary measures to prevent and detect Black Basta ransomware, including using anti-ransomware or anti-malware programs. Additionally, make sure you patch and update your systems to the latest version. Lastly, establish regular backups of your files to a remote server, and implement organizational firewalls, proxies, web filtering and mail filtering.