Black Basta Ransomware Detection: New Collaboration with QBot

QBot, aka Qakbot, has been around since 2007, while its companion, a threat actor group tagged Black Basta, first surfaced just a few months ago – in April 2022. According to the latest insights into a partnership between Qakbot and Black Basta, the latter uses this modular information stealer to travel through the compromised system and maintain persistence, using lateral movement as their core tactic in this campaign. Evidence indicates that the threat actor deployed Cobalt Strike beacons on the victim machines.

Detect Black Basta Ransomware

To detect Black Basta malicious activity that could compromise your network, utilize the following set of Sigma rules available in the SOC Prime’s Detection as Code Platform:

Sigma rules to detect Black Basta ransomware

Non-registered users can browse through the collection of Sigma rules available via Cyber Threat Search Engine. Press the Drill Down to Search Engine button to access a one-stop shop for free SOC content.

Registered security professionals leverage the full potential of the world’s largest and most advanced platform for collaborative cyber defense. Press the View in SOC Prime Platform button to access an exhaustive collection of the most up-to-date rules to detect ransomware infiltration.

View in SOC Prime Platform Drill Down to Search Engine

Black Basta Ransomware Analysis

A prolific ransomware group known under the moniker Black Basta demonstrates an eagerness to conquer new horizons in cyber offense terrain, adapting new malware tools and hacking techniques. Despite being a novice in the field of ransomware attacks, they have already made their name in high-dollar crimes, launching double-extortion attacks worldwide.

NCC Group’s researchers reported a recent Black Basta’s collaboration with QBot. The banking trojan often referred to as a Swiss Army knife malware for its impressive versatility in malicious operations, is frequently leveraged as a dropper in ransomware attacks. Black Basta adversaries used it primarily for its ability to move laterally within a compromised environment with a goal to drop the ransomware executables onto all hosts within a compromised network. The current data indicates that within the latest campaign, adversaries kill Windows Defender’s processes on compromised devices.

Eager to learn more about enhancing your security countermeasures? Join SOC Prime’s Platform to unlock access to the world’s largest pool of detection content created by the industry leaders and drive efficiency in your security ecosystem. SOC Prime, headquartered in Boston, US, is powered by an international team of seasoned experts dedicated to enabling collaborative cyber defense.