Top Categories

Spotlight

todaySeptember 28, 2023

Cyber security Mjolnir Security

Virtual CISO (vCISO)

Mjolnir Security recognizes the distinct security requirements of each organization. Our vCISO solutions are designed to align with individual organizational objectives. Engaging with Mjolnir for vCISO services provides: Use Cases: Methodology: Why Mjolnir Security? How do we stand out? Criteria Mjolnir Security Competitors Experience Diverse industry knowledge with global exposure [...]


Qakbot Malware Used By Black Basta In Series of Ransomware Attacks

News + Malware + Ransomware + APT + Threat Intelligence + Breach + Cyber security + Cybercrime Mjolnir Security todayNovember 28, 2022 223

Background
share close

Qakbot Malware Attacks Resurrected By Black Basta Hacker Collective

Qakbot Malware Utilized as a Means of Cyber Extortion in Canada

Qakbot malware and ransomware attacks have soared across the globe as a new hacker group known as “Black Basta” has targeted a number of Canadian corporations. Qakbot ransomware sometimes referred to as QBot, QuackBot, or Pinkslipbot attacks has traditionally been deployed against financial institutions and law enforcement agencies, but has now included efforts targeting grocers, rental car agencies, retail chains, universities, and government agencies. Cyber extortion continues to become increasingly common in Canada, prompting a need for ongoing IT security measures to prevent such incidents.

Qakbot campaigns often begin with a simple email phishing attempt, where what appears to be a trusted contact requests that the receiver clicks a hyperlink, opens a zip file, or clicks on an embedded image. The malware can then gather information on the target without detection, infect multiple devices, gain network-wide administrative access, and ultimately lead to a ransomware attack. For organizations that are not prepared for such a multi-layered attack, these types of campaigns can prove to be especially problematic for the IT professionals tasked with resolving them.

Qakbot Used By Black Basta Cybercriminals Against Canadian Organizations

Qakbot is not a new type of malware but has become an increasingly popular tool among a group of hackers that have become increasingly aggressive in their efforts. Qakbot campaigns maintain multiple layers of complexity that can perform in-depth reconnaissance efforts and deliver multiple payloads of sensitive information to bad actors.

Despite the initial infection occurring on a device that doesn’t have full admin privileges, hackers will conduct “lateral movements,” digging deep into a network, collecting sensitive information, and ultimately attempting to gain full administrative access. The hackers that have been tied to Black Basta have gained a reputation for quickly obtaining such privileges, fully compromising an entire network in less than two hours. Hackers will then harvest sensitive employee information including social insurance numbers, trade secrets, or personal details of employees, and later encrypt and use this information as leverage to extort money from the company.

Qakbot Campaigns Could Lead to Complex Cyber Extortion Attempts

After systems have been fully compromised, targets may receive a notification that their entire systems are under the control of the Black Basta group. Sometimes computers across the infected network will show a new wallpaper notifying the company of the attack, with directions to pay a ransom located in a readme or text file.

Files across the network are likely to be encrypted and inaccessible to all users. Targets are usually requested to pay a large ransom in order to unencrypt their data or face a number of extortion attempts. Black Basta has been known to threaten the release of sensitive data on the dark web in an effort to negotiate ransoms, often releasing embarrassing sensitive personal information on targeted executives.

Qakbot Ransomware May Prove to Be Untraceable

In one case, Black Basta released a portion of a corporation’s data on the Tor network in a means to intimidate a corporation into paying its ransom. Ultimately, there are no guarantees that hackers will return corporate data to their targets, and they could destroy encrypted data forever, even after paying a ransom. Local law enforcement is likely unable to address such cyber attacks as hackers often request that their ransom is paid in a cryptocurrency exchange that is simply unable to be tracked.

Qakbot Solutions Offered By Mjolnir Security

Preventing a Qakbot attack requires an organizational approach to cyber security along with extensive training of your IT professionals. Should your organization be experiencing a Qakbot attack or are faced with a ransomware or cyber extortion attempt, Mjolnir Security can work alongside senior leadership teams of various corporations to explore your options and help to recover sensitive data.

Further, Mjolnir Security can help train your IT professionals on how to respond to such attacks in a controlled environment. The best way to prepare for ransomware or Qakbot attacks is to experience one in real-time. Mjolnir Security has the means of teaching corporate IT professionals the finer points of such attacks, simulating an attack in a digital environment that helps IT professionals learn by example. Contact Mjolnir Security directly to learn more about resources available to Canadian corporate entities who are either experiencing a Qakbot ransomware attempt or are looking to explore preventative measures.

Mjolnir Security’s experts have been tracking the rise of Qakbot in Canada

The bar chart above shows all the malwares we have identified impacting Canadian orgs in the past month. After the explosive rise of Emotet, we now see a rise in daily Qakbot infections. It is important to note that Brute Rafel C4 infections and CobaltStrike/Metasploit usage has also been rising on a steady basis.

Concerned you might be a victim or if these threats may impact you? Reach out to us https://mjolnirsecurity.com/contact-us/

Written by: Mjolnir Security

Previous post

Similar posts