Watching Black Basta Ransomware & Qakbot
Black Basta Ransomware & Qakbot
Since its emergence in April 2022, the Black Basta ransomware group has continued to draw the eyes of the security community given the group’s ties with Conti ransomware. NCC Group has observed tactics, techniques, and procedures utilized by Black Basta during an incident response engagement. The ransomware group is identified to leverage Qakbot malware for lateral movement, triggering the host from a temporary service and using regsvr32 to execute the Qakbot DLL. Further lateral movement and defense evasion techniques involved enabling RDP, modifying firewall rules, and disabling Windows Defender. Operators also relied on the use of Cobalt Strike beacons, and reconnaissance activity initiated to identify all hosts on the network to spread the ransomware. During the final stages of the attack, the attackers launched an encoded PowerShell command from a domain controller to spread the ransomware throughout the network with WMI (Windows Management Instrumentation), iterating through the list of IP addresses identified during the reconnaissance stage.