Ransomware campaigns are everywhere, targetting big companies and industries regardless of their line of work. Now, a single ransomware attack is dangerous, let alone two separate ones. But when two malware operations team up, things go from dangerous to devastating. That’s exactly what’s happening now as Black Basta sets foot in this industry.
We’ve seen the famous QBot in action before. However, this time around, Black Basta has partnered with the malware operation to easily infect and navigate through hacked corporate environments.
This collaboration can inflict so much damage to whoever the victim is. But why does Black Basta need QBot? The ransomware operators have committed malicious practices before without any help. Why now? We’ve covered everything in the following article.
Black Basta’s New Strategy – Enter QBot Collaboration
As we mentioned, ransomware operators target companies with big names so they can harvest as much money as they can. Some old, some new, some resurfaced, everything is possible when it comes to ransomware.
Black Basta falls into the “New” category, considering it saw the light in the month of April 2022. However, while new, these folks are not joking around.
In the ransomware society, there’s no better way to debut than to infiltrate a high number of companies. Black Basta did as they breached at least twelve companies in just a few weeks. Now that’s a way to quickly catapult yourself into this industry.
The way Black Basta operates doesn’t differ much from other ransomware gangs. It also steals information and documents before encrypting a company’s devices.
Once the data is encrypted, the victim receives a notice that looks exactly like the following:
“Your network is encrypted by the Black Basta group. Instructions in the file readme.txt.”
On the other hand, QBot (QuakBot) is Windows malware designed to harvest banking credentials and inject further malware payloads on infected devices.
This won’t be QBot’s first ransomware collaboration. In fact, it has previously acted alongside the likes of ProLock, Egregor, DoppelPaymer, and MegaCrotex.
QBot/Black Basta – The Ultimate Malicious Partnership
Now, QBot has a new partner in crime in the form of Black Basta. The NCC Group discovered this partnership after a recent incident where the techniques used led straight to Black Basta.
Normally, ransomware gangs use QBot for early access. But according to NCC, this is not the case here. Instead, the Black Basta gang used it to spread laterally throughout the network.
To be exact, QBot creates a temporary service on the infected device and sets it up to execute its DLL using regsvr32.exe. According to the researchers:
“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network. The threat actor was also observed using Cobalt Strike beacons during the compromise.”
The researchers added how precise the execution is as the attackers have thought about everything. Apparently, the users’ anti-virus software and even Windows Defender are deemed useless during the intrusion process.
When the Black Basta ransomware sets root, the attackers prompt their victim to run a .txt file that contains the ransom note. It’s a standard Black Basta template with a URL to a Tor site where the targets can negotiate with operators.
As reported by the researchers at NCC, QBot can navigate through the networks it infects. However, the ransomware doesn’t execute immediately, which gives the victims a small window to avoid such a predicament.
A Malicious Collaboration – Together We Stand
With such a collaboration, the damage is huge. However, you have several signs before the malicious attack takes place.
Since Black Basta is working with QBot, users should expect the arrival of a malicious email. If you manage to avoid that, you’ll be safe.
Don’t click on any link you see, stay vigilant, and you’ll be able to avoid a predicament like this and protect yourself.