black-basta-ransomware-gang-actively-infiltrating-us.-companies-with-qakbot-malware

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware

Companies based in the U.S. have been at the receiving end of an “aggressive” Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks.

“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network,” Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News.

Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information.

This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro disclosed similar attacks that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which, in turn, was leveraged to drop Cobalt Strike.

The intrusion activity observed by Cybereason cuts out Brute Ratel C4 from the equation, instead using Qakbot to directly distribute Cobalt Strike on several machines in the infected environment.

The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which, for its part, connects to a remote server to retrieve the Cobalt Strike payload.

At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.

“The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours,” the researchers noted, adding over 10 different customers were impacted by the fresh set of attacks in the past two weeks.

In two instances spotted by the Israeli cybersecurity company, the intrusions not only deployed the ransomware but also locked the victims out of their networks by disabling the DNS service in a bid to make recovery more challenging.

Black Basta remains a highly active ransomware actor. According to data gathered by Malwarebytes, the ransomware cartel successfully targeted 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…