Qakbot Malware Used By Black Basta In Series of Ransomware Attacks

Threat Intelligence + Breach + Cyber security + Cybercrime + News + Malware + Ransomware + APT Mjolnir Security todayNovember 28, 2022 331

share close

Qakbot Malware Attacks Resurrected By Black Basta Hacker Collective

Qakbot Malware Utilized as a Means of Cyber Extortion in Canada

Qakbot malware and ransomware attacks have soared across the globe as a new hacker group known as “Black Basta” has targeted a number of Canadian corporations. Qakbot ransomware sometimes referred to as QBot, QuackBot, or Pinkslipbot attacks has traditionally been deployed against financial institutions and law enforcement agencies, but has now included efforts targeting grocers, rental car agencies, retail chains, universities, and government agencies. Cyber extortion continues to become increasingly common in Canada, prompting a need for ongoing IT security measures to prevent such incidents.

Qakbot campaigns often begin with a simple email phishing attempt, where what appears to be a trusted contact requests that the receiver clicks a hyperlink, opens a zip file, or clicks on an embedded image. The malware can then gather information on the target without detection, infect multiple devices, gain network-wide administrative access, and ultimately lead to a ransomware attack. For organizations that are not prepared for such a multi-layered attack, these types of campaigns can prove to be especially problematic for the IT professionals tasked with resolving them.

Qakbot Used By Black Basta Cybercriminals Against Canadian Organizations

Qakbot is not a new type of malware but has become an increasingly popular tool among a group of hackers that have become increasingly aggressive in their efforts. Qakbot campaigns maintain multiple layers of complexity that can perform in-depth reconnaissance efforts and deliver multiple payloads of sensitive information to bad actors.

Despite the initial infection occurring on a device that doesn’t have full admin privileges, hackers will conduct “lateral movements,” digging deep into a network, collecting sensitive information, and ultimately attempting to gain full administrative access. The hackers that have been tied to Black Basta have gained a reputation for quickly obtaining such privileges, fully compromising an entire network in less than two hours. Hackers will then harvest sensitive employee information including social insurance numbers, trade secrets, or personal details of employees, and later encrypt and use this information as leverage to extort money from the company.

Qakbot Campaigns Could Lead to Complex Cyber Extortion Attempts

After systems have been fully compromised, targets may receive a notification that their entire systems are under the control of the Black Basta group. Sometimes computers across the infected network will show a new wallpaper notifying the company of the attack, with directions to pay a ransom located in a readme or text file.

Files across the network are likely to be encrypted and inaccessible to all users. Targets are usually requested to pay a large ransom in order to unencrypt their data or face a number of extortion attempts. Black Basta has been known to threaten the release of sensitive data on the dark web in an effort to negotiate ransoms, often releasing embarrassing sensitive personal information on targeted executives.

Qakbot Ransomware May Prove to Be Untraceable

In one case, Black Basta released a portion of a corporation’s data on the Tor network in a means to intimidate a corporation into paying its ransom. Ultimately, there are no guarantees that hackers will return corporate data to their targets, and they could destroy encrypted data forever, even after paying a ransom. Local law enforcement is likely unable to address such cyber attacks as hackers often request that their ransom is paid in a cryptocurrency exchange that is simply unable to be tracked.

Qakbot Solutions Offered By Mjolnir Security

Preventing a Qakbot attack requires an organizational approach to cyber security along with extensive training of your IT professionals. Should your organization be experiencing a Qakbot attack or are faced with a ransomware or cyber extortion attempt, Mjolnir Security can work alongside senior leadership teams of various corporations to explore your options and help to recover sensitive data.

Further, Mjolnir Security can help train your IT professionals on how to respond to such attacks in a controlled environment. The best way to prepare for ransomware or Qakbot attacks is to experience one in real-time. Mjolnir Security has the means of teaching corporate IT professionals the finer points of such attacks, simulating an attack in a digital environment that helps IT professionals learn by example. Contact Mjolnir Security directly to learn more about resources available to Canadian corporate entities who are either experiencing a Qakbot ransomware attempt or are looking to explore preventative measures.

Mjolnir Security’s experts have been tracking the rise of Qakbot in Canada

The bar chart above shows all the malwares we have identified impacting Canadian orgs in the past month. After the explosive rise of Emotet, we now see a rise in daily Qakbot infections. It is important to note that Brute Rafel C4 infections and CobaltStrike/Metasploit usage has also been rising on a steady basis.

Concerned you might be a victim or if these threats may impact you? Reach out to us

Written by: Mjolnir Security

Previous post

Similar posts

News Mjolnir Security / July 9, 2024

Balancing AI Innovation with Privacy: Navigating the Complex Landscape of Privacy Laws

The integration of artificial intelligence (AI) in various sectors has ushered in an era of unprecedented innovation and efficiency. However, as organizations increasingly rely on AI to process and analyze vast amounts of data, concerns about privacy and compliance with regulatory requirements have come to the forefront. This blog post will delve into the complex ...

Read more trending_flat

Case Study Mjolnir Security / July 5, 2024

Case Study: Mjolnir Security’s Intervention in a Ransomware Attack on an ISP

Introduction In late 2023, a prominent Internet Service Provider (ISP) experienced a severe ransomware attack that threatened its operations, financial stability, and reputation. The attack’s origin was traced back to the ISP’s Managed Service Provider (MSP), which had neglected essential security and auditing controls. Despite these deficiencies, the MSP attempted to shift the blame to ...

Read more trending_flat