Security News > 2022 > November > Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware
Companies based in the U.S. have been at the receiving end of an "Aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks.
"In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News.
Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as leverage to extort cryptocurrency payments by threatening to release the stolen information.
The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which, for its part, connects to a remote server to retrieve the Cobalt Strike payload. At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.
Black Basta remains a highly active ransomware actor.
According to data gathered by Malwarebytes, Black Basta successfully targeted 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.
- LockBit affiliate uses Amadey Bot malware to deploy ransomware (source)
- How ransomware gangs and malware campaigns are changing (source)
- Russian Courts Targeted by New CryWiper Data Wiper Malware Posing as Ransomware (source)
- Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware (source)