Rewterz Threat Update – Russian-Linked RansomBoggs Ransomware Targeted Several Ukrainian Organizations
November 29, 2022Rewterz Threat Alert – Hive Ransomware Received Approximately US$100 Million In Ransom Payments – Active IOCs
November 29, 2022Rewterz Threat Update – Russian-Linked RansomBoggs Ransomware Targeted Several Ukrainian Organizations
November 29, 2022Rewterz Threat Alert – Hive Ransomware Received Approximately US$100 Million In Ransom Payments – Active IOCs
November 29, 2022Severity
High
Analysis Summary
The ransomware gang Black Basta has been observed aggressively using the QakBot malware campaign to attack primarily US-based companies.
“In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.”
Black Basta is a new ransomware that encrypts data stored on clients’ hard drives. It has been active since April 2022 and employs a double-extortion attack technique. In July 2022, the Black Basta ransomware group added a new capability that encrypts VMware ESXi virtual machines (VMs) on Linux servers, a new strain of the Black Basta ransomware that supports encryption of VMWare ESXi servers. They have been reporting on similar encryptors issued by a number of different groups, including LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware binary, like other Linux encryptors, will search for the /vmfs/volumes where virtual machines are kept on the compromised ESXi servers (if no such folders are found, the ransomware exits).
The QakBot malware is being used by the Black Basta ransomware gang in its most recent operation to establish an initial point of entry and migrate laterally within an organization’s network.
QBot, often known as QakBot, is modular information malware. It has been operational since 2007. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Qakbot can propagate to other computers on the same network and allow it to mask its existence and build persistence on infected computers.
After successfully infecting an environment, QakBot installs a backdoor that allows the threat actor to release additional malware, specifically ransomware.
In the recent campaign, the attack chain starts with a spear-phishing email that contains a malicious disk image file. When this file is viewed, it launches Qbot, which in turn establishes a connection with a remote server to download the Cobalt Strike payload.
source:
More than 10 different clients have been observed to be impacted by this latest effort in the past two weeks.
“The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours,”
Researchers discovered two instances in which the intrusions not only deploy the ransomware but also prevented the victims from accessing their networks by disabling the DNS service in a bid to make the process of recovery tougher. The associated file names related to the campaign include fwpolicyiomgr.dll, Aficionado.tmp (Qbot loader), plugin_payload54.dll, Plugin_payload55.dll, and cob_54.dll
Black Basta is still a very active ransomware variant. In October 2022, the gang successfully targeted 25 organizations, placing it behind LockBit, Karakurt, and BlackCat ransomware groups.
‘Given all of these observations, we recommend that security and detection teams keep an eye out for this campaign since it can quickly lead to severe IT infrastructure damage’, they conclude.
Impact
- Financial Theft
- Information Theft
- File Encryption
Indicators of Compromise
IP
144.202.42.216
94.70.37.145
172.90.139.138
70.50.3.214
90.89.95.158
200.93.14.206
142.161.27.232
82.127.174.33
92.207.132.174
92.189.214.236
91.165.188.74
137.186.193.226
MD5
86853e938383d0a4fbddc372dbfa8fdc
SHA-256
4a2e23d604d2d2774df43b5c539f9726c6033db55b483c49e4e84314265f6f6e
SHA-1
3807cba2468c7cae458b1e9e4d84420799657bc4
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
- Disable auto-mounting of the disk image file.
- Engage Incident Response
- Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders