It was revealed earlier today that several companies based in the Us had been victims of an aggressive QakBot malware campaign that allows Black Basta ransomware infections to access affected networks.
Cybereason researchers have detailed how the Black Basta ransomware gang has been using the QakBot malware to provide them with a point of entry into the affected company’s network.
The Attack Marks the Latest by the Prolific Black Basta Ransomware Gang
The Black Basta Ransomware Gang, which emerged earlier this year, has been using ransomware techniques to steal sensitive financial and customer data from data access networks. They then use that stolen data to extort the affected companies into making cryptocurrency ransom payments in exchange for not releasing the data on the dark web.
The gang was observed to have used the same QakBot malware in a similar spate of attacks last month. In these earlier attacks, Qakbot was used to deliver a Brute Ratel C4 framework which then enabled a Cobalt Strike.
Who Are the Black Basta Ransomware Gang?
The threat actor is thought to have ties with the Russian cybercriminal gang FIN7. The gang has been extremely active since its emergence and is known to have successfully targeted 25 different organizations in October. This makes the new threat actor one of the most active cybercrimes ransomware threats, along with Blackcat, LockBit, and Karakurt.
The group has thus far targeted organizations based in Canada, the US, the UK, New Zealand, and Australia. Cybereason has said that the threat level from this cybercriminal gang is currently high, given the widespread and prolific nature of the attacks over the past weeks.
How Did the QakBot Ransomware Attack Infiltrate the Affected Systems?
However, in these latest attacks, Black Basta has been using Qakbot to directly distribute Cobalt Strike to the infected systems, bypassing Brute Ratel C4 entirely. The cyber-attack began with a phishing email, which, when opened, triggered the execution of the QakBot. The QakBot then connected to a remote server to enable the Cobalt Strike to enter the infected network.
Following this, lateral movement activities and credential harvesting took place. Once passwords were collected via these methods, data breaches were accomplished, and the ransomware was launched. This trojan attack enabled the theft of financial data, password credentials, browser information, and keystrokes.
The Ransomware Locked Administrators Out of Their Networks
it has been reportage that over the past two weeks, over 10 different US-based companies have been hit by this type of ransomware attack. Using this process, the Black Basta gang could gain administrator privileges of a domain in under two hours and deploy their ransomware within twelve hours.
In two different attacks, the intrusive ransomware also disabled the DNS service of affected networks, locking administrators out of the system and making system recoveries more challenging following the attack.
Cybereason is advising that an organization’s security and data breach detection teams remain vigilant, as this type of ransomware attack can lead to substantial damage to IT infrastructure.
