BlackBasta Ransomware Resurgence:
Cybersecurity researchers have uncovered a recent resurgence of Qakbot attacks, an information-stealing and banking trojan, employing various tactics like phishing emails with weaponized links to ZIP archives. Threat actors are using tools like Brute Ratel and Cobalt Strike for lateral movement within compromised environments.
While Qakbot has been active since 2007, its modular design now enables it to act as a downloader for additional malware. The attack attempts to adapt to new tactics following Microsoft's default blocking of macros in web-downloaded documents. These attacks have been associated with the Black Basta Ransomware group, with overlapping techniques and infrastructure.
The goal of these attacks appears to be domain-wide ransomware deployment. The resurgence of Qakbot attacks includes techniques like HTML file attachments, DLL side-loading, and email thread hijacking, with emails harvested from successful ProxyLogon attacks on Microsoft Exchange servers. Now in 2023, they have evolved their attack techniques to multiple different intrusion vectors credential stuffing, phishing, and remote desktop protocol exploitation.
Black Basta ransomware, which emerged in April 2022, has been targeting prominent organizations in Europe and North America, including outsourcing, technology, and manufacturing sectors. It is suspected to have ties to former Conti ransomware members and the Fin7 threat actor. Black Basta operates as a Ransomware-as-a-Service, offering tools and support to its affiliates. It steals data for double extortion and has expanded its attack surface from Windows to ESXi systems. It employs various infection methods, exploits vulnerabilities, and uses strong encryption techniques. The ransomware has affected over 200 organizations, primarily in the United States, with a significant portion having their data exposed publicly.
In one of the most recent attacks Black Basta Ransomware strikes prominent organizations in Europe and North America. A Swiss tech multinational and U.S. government contractor ABB got attacked on May 7th, 2023, which led to significant impact on its factories with operations disruption, project delays. While ABB did not confirm on the name of the group, but highly placed sources hint towards the Black Basta behind it as the imprints of similar attack techniques. Similarly, Arms maker Rheinmetal claimed it got attack with similar patterns.
The impact of the Black Basta ransomware on organizations can be significant. It can lead to financial losses due to ransom payments and potential legal consequences. Additionally, the exposure of sensitive data to the public can result in reputational damage, loss of customer trust, and potential regulatory penalties.
The Black Basta ransomware's targeted attacks on prominent organizations, along with its use of double extortion tactics and exposure of stolen data, will likely have several significant impacts on affected organizations. These include reputational damage, financial losses from ransom payments, and costs associated with data breaches and cybersecurity measures to prevent future attacks. Additionally, the ransomware's association with other threat actors and the utilization of advanced techniques like spear-phishing and exploiting vulnerabilities may raise concerns about the evolving and collaborative nature of cyber threats.
How should organizations look at countering a Black Basta attack on their enterprise? Users can thwart QAKBOT variants and other threats that spread through emails by following some of these known best practices:
There are several recommendations that organizations can follow to protect themselves from ransomware attacks:
Engage cyber security expert partners who have the experience to fight against multi-vector attacks with strong global presence and the technical know-how on how to develop and implement an incident response plan in case of a ransomware attack. This plan should include steps for containment, eradication, recovery, and lessons learned.
Tata Communications security experts can help you protect your organization from ransomware attacks and guide you on how to respond effectively if an attack does occur. Speak to an expert now!