Ransomware, Malware, Threat Management

Black Basta ransomware group targeting US companies with QakBot malware

A customer service technician types on a computer.
Cybereason researchers warned of a particularly aggressive campaign using the QakBot malware to gain entry and often leads to Black Basta ransomware being deployed. (Air Force)

The ransomware group Black Basta has been observed by researchers aggressively using the QakBot trojan to target primarily companies based in the United States. 

In a Wednesday threat alert, the Cybereason researchers said they began observing Nov. 14 that more than 10 customer environments were infected by a particularly aggressive campaign using QakBot to gain initial entry and often led to the Black Basta ransomware being deployed. The infections began with phishing emails that led to malicious URLs.

The group emerged in April and has targeted companies in the U.S., Canada, UK, Australia and New Zealand, primarily using double-extortion tactics. 

QakBot has been used to steal financial data, but also installs a backdoor allowing the threat actor to drop additional malware, namely ransomware, the researchers said.

In their post, the Cybereason researchers detail how an attack scenario started from a QakBot infection, which resulted in Cobalt Strike being loaded on multiple machines before the ransomware was deployed. The researchers also said they observed a tactic on more than one victim who was locked out of the network by disabling DNS services, making recovery more difficult.

They noted that the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

“Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign, since it can quickly lead to severe IT infrastructure damage.”
Cybereason has indicators of compromise (IoCs), including a list of IP addresses to block, as well as recommendations for its customers, at the blog post.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.