2022-06-14

Watching Black Basta Ransomware & Qakbot

Level: 
Tactical
  |  Source: 
NCC Group
Share:
Black Basta Ransomware & Qakbot
Industry: N/A | Level: Tactical | Source: NCC Group

Since its emergence in April 2022, the Black Basta ransomware group has continued to draw the eyes of the security community given the group’s ties with Conti ransomware. NCC Group has observed tactics, techniques, and procedures utilized by Black Basta during an incident response engagement. The ransomware group is identified to leverage Qakbot malware for lateral movement, triggering the host from a temporary service and using regsvr32 to execute the Qakbot DLL. Further lateral movement and defense evasion techniques involved enabling RDP, modifying firewall rules, and disabling Windows Defender. Operators also relied on the use of Cobalt Strike beacons, and reconnaissance activity initiated to identify all hosts on the network to spread the ransomware. During the final stages of the attack, the attackers launched an encoded PowerShell command from a domain controller to spread the ransomware throughout the network with WMI (Windows Management Instrumentation), iterating through the list of IP addresses identified during the reconnaissance stage.

Anvilogic Use Cases:

  • Encoded Powershell Command
  • RDP Enabled
  • Remote Admin Tools
  • Modify Group Policy
  • regsvr32 Execution
  • Windows Firewall Rule Creation
  • Modify Windows Defender
  • Windows Defender Disabled Detection
  • Cobalt Strike Beacon
  • WinRM Tools

Chat with our team to receive a free maturity assessment

Get in Touch