Ransomware and Malware Combine as Qbot Basta
Table of Contents
- By Patrick Ryan
- Jun 13, 2022
Qbot, a powerful form of malware, is now being used by Black Basta ransomware attackers to create a whole that is greater than the sum of its parts. The resulting trojan is unique in that it continues to evolve as time progresses, pivoting laterally when necessary to evade safeguards.
How Did the Malware and Ransomware Combine?
Black Basta ransomware is a relatively new digital threat.
The ransomware has captured the Qbot malware even though it has been around for over a decade. The purpose of the Black Basta malware absorbing the malware variant is to enhance persistence on the network during aggression.
The malware, also known as Quakbot, ultimately allowed the ransomware group to make a lateral move on a network that had been compromised. The details of the attack were recently revealed by NCC Group, an online security business.
What is Qbot All About?
Qbot hit the scene in 2008 to steal information from Windows through the exfiltration of data and keylogging. Qbot was even advanced to the point that it could steal details directly from online banking accounts. Qbot has since evolved into a complex form of malware that evades detection and is partially aware of the context in which it operates. Qbot is even advanced to the point that it is designed with the ability to phish with e-mail hijacks.
Why Should Businesses be Aware of Black Basta?
Black Basta performs ransomware aggressions through double-extortion techniques. First, the data is exfiltrated off the network in question before the deployment of ransomware. The ransomware hackers then issue a threat in which they insist they will leak the data to a Tor site.
Why is the Combination of Qbot and Black Basta Meaningful?
Though ransomware attackers have used Qbot to infiltrate networks in the past, the manner in which Black Basta is using ransomware is somewhat idiosyncratic. The collaboration between the two set the stage for compromising two domain controllers with lists of internalized IP addresses of the network systems. The purpose was to provide the attacker with an IP address list to zero in on when the ransomware was deployed.
The ransomware attackers obtained access to the network, generated the necessary .exe file, employed Qbot to form a temporary service along with a target host remotely, then configured it to run the Quakbot ELL. Black Basta also relied on batch file deployment with command lines for RDP logins. The digital criminals then started remote desktop sessions on hosts that had been compromised.
Black Basta creates RDP sessions, altering the configurations and using Windows Management Instrumentation to move the ransomware out. The group disables Windows Defender with the deployment of the batch script to implement PowerShell commands, spurring alterations to the Windows Registry. The deployment of Black Basta ransomware does not fully encrypt the file. Instead, the file is only partially encrypted to boost the efficacy and speed of encryption. The extension is altered to “.basta” after encryption.