Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign.
The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys.
Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom.
It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file.
The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand.
The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware.
In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours.
The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources.
Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.