In the ever-evolving landscape of cybersecurity, threats have become more sophisticated, more targeted, and more relentless. Recently, Mjolnir Security found itself in the midst of a complex investigation that echoed the tension and urgency of a Terminator movie. Much like Sarah Connor being pursued by an unstoppable force, ten credit [...]
Qakbot Malware Attacks Resurrected By Black Basta Hacker Collective
Qakbot Malware Utilized as a Means of Cyber Extortion in Canada
Qakbot malware and ransomware attacks have soared across the globe as a new hacker group known as “Black Basta” has targeted a number of Canadian corporations. Qakbot ransomware sometimes referred to as QBot, QuackBot, or Pinkslipbot attacks has traditionally been deployed against financial institutions and law enforcement agencies, but has now included efforts targeting grocers, rental car agencies, retail chains, universities, and government agencies. Cyber extortion continues to become increasingly common in Canada, prompting a need for ongoing IT security measures to prevent such incidents.
Qakbot campaigns often begin with a simple email phishing attempt, where what appears to be a trusted contact requests that the receiver clicks a hyperlink, opens a zip file, or clicks on an embedded image. The malware can then gather information on the target without detection, infect multiple devices, gain network-wide administrative access, and ultimately lead to a ransomware attack. For organizations that are not prepared for such a multi-layered attack, these types of campaigns can prove to be especially problematic for the IT professionals tasked with resolving them.
Qakbot Used By Black Basta Cybercriminals Against Canadian Organizations
Qakbot is not a new type of malware but has become an increasingly popular tool among a group of hackers that have become increasingly aggressive in their efforts. Qakbot campaigns maintain multiple layers of complexity that can perform in-depth reconnaissance efforts and deliver multiple payloads of sensitive information to bad actors.
Despite the initial infection occurring on a device that doesn’t have full admin privileges, hackers will conduct “lateral movements,” digging deep into a network, collecting sensitive information, and ultimately attempting to gain full administrative access. The hackers that have been tied to Black Basta have gained a reputation for quickly obtaining such privileges, fully compromising an entire network in less than two hours. Hackers will then harvest sensitive employee information including social insurance numbers, trade secrets, or personal details of employees, and later encrypt and use this information as leverage to extort money from the company.
Qakbot Campaigns Could Lead to Complex Cyber Extortion Attempts
After systems have been fully compromised, targets may receive a notification that their entire systems are under the control of the Black Basta group. Sometimes computers across the infected network will show a new wallpaper notifying the company of the attack, with directions to pay a ransom located in a readme or text file.
Files across the network are likely to be encrypted and inaccessible to all users. Targets are usually requested to pay a large ransom in order to unencrypt their data or face a number of extortion attempts. Black Basta has been known to threaten the release of sensitive data on the dark web in an effort to negotiate ransoms, often releasing embarrassing sensitive personal information on targeted executives.
Qakbot Ransomware May Prove to Be Untraceable
In one case, Black Basta released a portion of a corporation’s data on the Tor network in a means to intimidate a corporation into paying its ransom. Ultimately, there are no guarantees that hackers will return corporate data to their targets, and they could destroy encrypted data forever, even after paying a ransom. Local law enforcement is likely unable to address such cyber attacks as hackers often request that their ransom is paid in a cryptocurrency exchange that is simply unable to be tracked.
Qakbot Solutions Offered By Mjolnir Security
Preventing a Qakbot attack requires an organizational approach to cyber security along with extensive training of your IT professionals. Should your organization be experiencing a Qakbot attack or are faced with a ransomware or cyber extortion attempt, Mjolnir Security can work alongside senior leadership teams of various corporations to explore your options and help to recover sensitive data.
Further, Mjolnir Security can help train your IT professionals on how to respond to such attacks in a controlled environment. The best way to prepare for ransomware or Qakbot attacks is to experience one in real-time. Mjolnir Security has the means of teaching corporate IT professionals the finer points of such attacks, simulating an attack in a digital environment that helps IT professionals learn by example. Contact Mjolnir Security directly to learn more about resources available to Canadian corporate entities who are either experiencing a Qakbot ransomware attempt or are looking to explore preventative measures.
Mjolnir Security’s experts have been tracking the rise of Qakbot in Canada
The bar chart above shows all the malwares we have identified impacting Canadian orgs in the past month. After the explosive rise of Emotet, we now see a rise in daily Qakbot infections. It is important to note that Brute Rafel C4 infections and CobaltStrike/Metasploit usage has also been rising on a steady basis.
Bills C26 and C27 Prompt Major Regulatory Changes in Cybersecurity and Data Collection What Canada’s Vital Industries Should Know About Bills C26 and C27 The nature of cybersecurity and data ...
Bridging the Security Gap with Tailored Compliance Solutions In today’s high-stakes business environment, safeguarding your organization’s assets and reputation is paramount. Mjolnir Security’s GAP Assessment service is specifically designed for executive leaders who recognize the critical importance of robust cybersecurity and compliance. Our service offers a comprehensive evaluation of your current security measures against industry-leading ...