Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain

Last week, security researchers warned that the Black Basta ransomware gang is utilizing Qakbot malware as part of an aggressive and widespread campaign targeting U.S.-based organizations. Black Basta ransomware first became operational in April 2022 and since then it has become one of the most prolific Ransomware-as-a-Service (RaaS) groups. Qakbot, which WaterISAC has reported on numerous times, is a highly modular malware used for many malicious activities such as credential harvesting and dropping ransomware. In this latest campaign, threat actors likely associated with Black Basta are sending phishing emails using an .IMG file as the initial compromise vector. After initial infection, Qakbot is deployed and used as the primary means for maintaining persistence and moving laterally. Cobalt Strike was also used to gain remote access to the domain controller. The attack culminated in the deployment of Black Basta ransomware. To make the recovery more difficult, the attacker also locked the victim out of the network by disabling DNS services. Members can protect themselves against this activity by carefully screening suspicious emails they receive and never clicking on/downloading an attachment or link. Read more at Dark Reading.