Black Basta Crew Using Qakbot in Widespread Ransomware Strikes
A potentially widespread ransomware campaign run by the Black Basta hacking crew is primarily targeting U.S.-based companies with Qakbot (aka QBot, Pinkslipbot) malware, a new Cybereason report said.
Black Basta, which surfaced this past April and is composed of founding Conti members, typically targets organizations in the U.S., Canada, U.K., Australia, and New Zealand. The group is known for pilfering sensitive information and then extorting victims for as much as $2 million by threatening to post the data on the dark market unless the victim meets its ransomware demands.
Black Basta Observed Using QakBot
Cybereason’s managed services team observed multiple infections of Black Basta using QakBot beginning more than a year ago. These QakBot infections began with a spam/phishing email containing malicious URL links. In the last two weeks, Cybereason observed more than 10 different customers affected by the latest campaign. Black Basta is thought to have hit some 50 organizations in the U.S. in the last seven months.
Qakbot is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes and credentials. Black Basta is using Qakbot to install a backdoor allowing the hackers to drop ransomware on the network, the report said.
Here are Cybereason’s key observations on the Black Basta campaign:
- In the different cases of compromise identified, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
- Cybereason has assigned a threat level of “high” given the nature of the campaign.
- Threat actors leveraging the Qakbot loader are targeting mainly U.S.-based companies and acting quickly on any spear phishing victims they compromised.
- Among the identified Qakbot infections, two allowed the threat actor to deploy ransomware and then lock the victim out of its network by disabling the victim’s DNS service, complicating any recovery efforts.
- One particularly fast compromise led to the deployment of Black Basta ransomware, which led Cybereason to link Qakbot to Black Basta.
- Cybereason also observed the threat actor using Cobalt Strike during the compromise to gain remote access to the domain controller.
- Ransomware was deployed and the attacker then disabled security mechanisms, such as endpoint detection and response (EDR) and antivirus programs.
How to Protect Your Organization
Here are six steps to take for organizations to fend off a Qakbot infection:
- Block users whose machines were involved in the attack to stop or at least slow down attacker propagation over the network.
- Identify network flows toward malicious IPs or domains identified in the reports and block connections to stop the attacker from controlling the compromised machines.
- If domain controllers were accessed by the attacker and potentially all accounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are reset.
- Investigate the actions of the attacker thoroughly to ensure you’ve not missed any activity and you’ve patched everything that needs to be patched.
- Isolate and re-image all infected machines, to limit the risk of a second compromise or the attacker getting subsequent access to the network.
- Proactively search for assets that have potentially been exploited. Based on the search results, take further remediation actions, such as isolating the infected machines, and deleting the payload file.
- To prevent this infection technique from succeeding, consider disabling auto-mounting of disk image files (primarily .iso, .img, .vhd, and .vhdx).
Cybereason also said that users of its cyber platform should set the Cybereason Anti-Ransomware protection mode to Prevent. In addition, enable Variant Payload Protection (VPP) in your Cybereason sensor policy: Upgrade to a version that has VPP and enable it, as this will completely prevent Black Basta ransomware execution. VPP is supported in version 21.2.100 and above (Beta, and disabled by default) and 22.1.183 and above (GA, and enabled by default).