Companies in the US have recently found themselves under attack by the Qakbot malware, a campaign leading to numerous infections by Black Basta ransomware.
Black Basta is a ransomware group which first entered the digital waters in April 2022. Positioned as a Ransomware-as-a-Service (RaaS) group, Black Basta have been very busy in the months following their initial detection. Their attack strategy tends to focus on specific targets rather than hitting thousands of targets and hoping that some fall victim. Primarily, Black Basta have been observed to be using malware such as Qakbot and exploits including PrintNightmare to gain an initial point of entry to PC networks. From here, they ratchet up the chaos by installing ransomware.
Due to the financial risk associated with ransomware, it’s crucial your IT infrastructure is on high alert when it comes to the Black Basta attacks.
The Lowdown on Black Basta’s Campaign
At least 10 US-based companies have been attacked by Black Basta’s campaign in the last two weeks, and at the heart of its attack is a double-extortion method. Essentially, this strategy involves taking a standard ransomware attack (encrypting files and demanding a ransom) and adding further weight by threatening to publish the encrypted data on the dark web. Naturally, this is considered a very serious and aggressive threat, but exactly how does Black Basta take control of these networks in the first place? By launching a spear phishing attack, Black Basta is able to deliver a malicious disk image to unsuspecting victims which, if opened, activates Qakbot. This malware is then used to connect to a remote server and distribute Cobalt Strike, a legitimate piece of software which threat actors can use to set up numerous ‘beacons’ on a network. Once these beacons are established, Black Basta begins to steal credentials and launch ransomware attacks on the compromised network. A number of instances have also arisen where users are completely locked out of their network.
How to Protect Against Black Basta
This is far from the first ransomware attack to be launched, but it is considered a significant threat to PC users and the finances of organizations. Therefore, protecting your IT infrastructure against the Black Basta threat actors must be a major priority. As with most ransomware attacks you should be carrying out the following:
- Be aware of social engineering: spear phishing attacks, such as those deployed by Black Basta, are incredibly deceptive and have the potential to hoodwink even the most vigilant employee. However, if your employees are encouraged to always take time to double check emails – e.g. links, uncharacteristic writing styles and unusual requests – then you will reduce your risk of falling victim to spear phishing.
- Make multiple backups of your data: many organizations are forced into paying ransomware demands as it’s the only way to retrieve their valuable data. Backing up your data to multiple sources, however, ensures you have a copy of this data preserved. As a result, you can ignore the hackers’ demands and keep your finances looking healthier.
- Install all updates: attacks similar to Black Basta’s recent campaign are often attributed to software vulnerabilities – such as the PrintNightmare exploit – so it makes sense to make sure all updates are installed as soon as they are available. It may feel like a small step to take, but it provides your IT network with a serious security boost.
For more ways to secure and optimize your business technology, contact your local IT professionals.
