Black Basta ransomware now spreads with the help of Qbot malware

QBot malware pushes ransomware using bot-powered operations

QBot malware spreads ransomware via network shares and drives

Black Basta ransomware can now be spread laterally through affected corporate environments. The ransomware is now capable of evading detection by disabling Windows Defender and deleting backups. The particular Windows malware – QBot particularly is used to infect machines and steal bank information and domain credentials.^[1]

It also can be used to infect a machine directly or open the door to further infect the machine with other malware payloads. Now the infection spreads via phishing email attacks and during these campaigns delivers the malware that is locking files and asking for payments from victims.^[2]

The malware started as a banking trojan, but criminal groups collaborated and used the threat to spread ransomware threats like MegaCortex, DopplePaymer, and Egregor.^[3] Researchers reported that the new Black Basta file locker attacks rely on lateral movement through the use of this QBot malware and other features allowing the threat to evade detection and reverse engineering.

The ransomware Black Basta seems to be a threat that can evolve and change negotiation methods, evolve depending on the particular victim. That shows that this is not a fully new threat, but a ransomware gang that rebranded previous malware and released new campaigns.

A collaboration between QBot and another ransomware gang

Black Basta ransomware is a threat known for a few months now.^[4] The threat gang quickly jumped into these malicious operations right away, and it managed to breach twelve companies in a couple of weeks. The initial version of the ransomware emerged in April, and these operations were redirected to ai at various global companies.

QBot commonly is used for initial access, but this gang uses this malware to spread laterally throughout the network. Malware remotely creates the temporary services on the targeted host and configures it to launch the DLL. Once the malware is running, it can deploy malware in network shares and drives, brute-force accounts, use SMB file-sharing protocol to create duplicates of the virus, and spread via default admin shares using user credentials.

Additional improvements to these new campaigns include disabling Windows Defender on the affected machine. Black Basta ransomware now has some characteristics that allow modifying the wallpaper icon, and deleting shadow copies to prevent easy file recovery when data is marked with .basta appendix. Disabling Windows Defender minimizes the chances of failed encryption and extortion processes.

A new tradition among ransomware: double extortion

The ransomware is a file-locker that tries to make money by asking for direct payment from victims. Since these threat actors demand money from companies, the ransom amount mainly depends on the size of the company, but the common size of the demanded sum is $2 million. Criminals claim that once the victim pays up the affected data can be recovered, and data will not get leaked online.

The infection is focused on getting profit for creators, so the malware steals data before encoding those commonly used or valuable files on the targeted machine. Black Basta ransomware steals various files linked to the corporate entities that can include private or sensitive details. Then the threat encodes devices using encryption algorithms.

This is a common tactic used by various other ransomware groups.^[5] The double-extortion method ensure that threat actors get money from victims no matter what. The random is demanded the alleged decryption tool and for the promise that data that got stolen at the first stage will not get published.