Cybersecurity technology company Cybereason Inc. today issued a warning that an aggressive new ransomware campaign from the Black Basta ransomware group is targeting U.S. companies.
Black Basta first emerged in April and is believed to be an offshoot of the infamous Conti ransomware gang, complete with using similar tactics. Black Basta data leak blogs, payment sites, recovery portals, victim communications and negotiation methods all bear similarities with Conti operations.
The group specifically targets organizations in the anglosphere — the U.S., Canada, U.K., Australia and New Zealand. Black Basta partakes in double-tap ransomware attacks, which both encrypt the data of victims and steal data. The stolen data is used to extort victims for a ransom payment with a threat that if the ransom is not paid, the stolen data will be published.
In its latest campaign, Black Basta is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. Also known as QBot or Pinkslipbot, QakBot dates back to 2019 and has been used in ransomware attacks, such as one targeting Fujifilm Holding Corp. in 2020.
Once QakBot has obtained access to a victim’s network, the malware installs a back door allowing the threat actor to drop additional malware. In the latest Black Basta campaign, the additional malware is ransomware.
The Cybereason researchers note that while Black Basta isn’t new, its latest campaign is targeting a large number of organizations in an aggressive manner. It uses spear phishing,which involves sending emails from what appears to be a trusted sender to trick people into revealing confidential information.
Observations from the current Black Basta campaign include those behind it moving extremely fast, with cases where the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
Described as widespread with high severity, Black Basta has been using QakBot to target mostly U.S.-based companies and has acted quickly on any spear phishing victims they have compromised. In the last two weeks alone, the researchers have observed more than 10 different Cybereason customers that had been affected by the campaign.
The warning concludes with various recommendations that companies should consider to prevent Black Basta and QakBot infections. Cybereason customers should enable variant payload protection and block compromised users. All organizations should identify and block malicious network connections, reset Active Directory access and constantly engage in incident response.