Cybereason researchers warned of a particularly aggressive campaign using the QakBot malware to gain entry and often leads to Black Basta ransomware being deployed. (Air Force)

The ransomware group Black Basta has been observed by researchers aggressively using the QakBot trojan to target primarily companies based in the United States. 

In a Wednesday threat alert, the Cybereason researchers said they began observing Nov. 14 that more than 10 customer environments were infected by a particularly aggressive campaign using QakBot to gain initial entry and often led to the Black Basta ransomware being deployed. The infections began with phishing emails that led to malicious URLs.

The group emerged in April and has targeted companies in the U.S., Canada, UK, Australia and New Zealand, primarily using double-extortion tactics. 

QakBot has been used to steal financial data, but also installs a backdoor allowing the threat actor to drop additional malware, namely ransomware, the researchers said.

In their post, the Cybereason researchers detail how an attack scenario started from a QakBot infection, which resulted in Cobalt Strike being loaded on multiple machines before the ransomware was deployed. The researchers also said they observed a tactic on more than one victim who was locked out of the network by disabling DNS services, making recovery more difficult.

They noted that the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

“Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage.”
Cybereason has indicators of compromise (IoCs), including a list of IP addresses to block, as well as recommendations for its customers, at the blog post.