Introduction

Small and medium-sized businesses (SMBs) are increasingly becoming targets for sophisticated cyberattacks. One of the emerging threats observed in recent years is the combination of QakBot, Cobalt Strike, and SystemBC leading to the deployment of Black Basta ransomware. At AttackIQ, we understand the importance of proactive security measures, which is why we’ve introduce our latest package for testing your defenses against these advanced threats using AttackIQ Flex.

Understanding the Threat: QakBot and Black Basta

On May 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) about Black Basta, a ransomware variant responsible for encrypting and stealing data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. This advisory is part of CISA’s ongoing #StopRansomware effort to provide defenders with the intelligence needed to combat various ransomware variants and threat actors.

Black Basta is a ransomware variant operated by the group of the same name under a Ransomware as a Service (RaaS) model. Active since April 2022, with development traced back to February 2022, Black Basta affiliates have targeted organizations in multiple sectors, including Construction, Manufacturing, Professional Services, Financial Services, Healthcare & Life Sciences, and Energy, Resources, and Utilities.

The QakBot Infection Chain

The infection chain typically begins with a spearphishing email containing Excel 4.0 files with malicious macros. Once opened, these files download and execute the QakBot DLL via RegSvr32. QakBot then communicates with adversary infrastructure and performs system discovery, paving the way for the deployment of additional malicious tools like Cobalt Strike and SystemBC, ultimately leading to the deployment of Black Basta ransomware.

Key Attack Techniques

Our new package includes a comprehensive attack graph that emulates the entire infection chain from QakBot to Black Basta. Here are some of the key techniques and scenarios covered:

1. Cobalt Strike Named Pipe Impersonation: Emulates lateral movement techniques using Cobalt Strike.
2. Conti File Encryption: Simulates the ransomware encryption process to test your defenses.
3. QakBot Initial Web POST Request: Emulates the initial communication between QakBot and its command-and-control servers.
4. Download and Execute Malicious Samples: Includes scenarios for downloading and executing QakBot, Cobalt Strike, and Black Basta samples.
5. System Discovery and Information Gathering: Emulates techniques for network share discovery, system owner/user discovery, and network configuration discovery.
6. Data Exfiltration: Simulates the exfiltration of sensitive data, such as a PDF containing credit card numbers, to test your data loss prevention measures.

For a detailed list of scenarios and further technical insights, visit our Adversary Research Team’s detailed Black Basta ransomware response analysis.

Stay Proactive with AttackIQ Flex

At AttackIQ, we are committed to democratizing testing with accessible products and knowledge needed to stay ahead of cyber threats. Our AttackIQ Flex platform provides a robust environment for continuous security validation, ensuring your defenses are always up to date against the latest threats.  Small and midsized businesses (SMB’s) are often the most susceptible to encountering highly sophisticated ransomware attacks as they most often lack advanced cybersecurity measures and have outdated systems. Additionally, attacking SMBs attracts less attention from law enforcement and media, and while individual ransoms are smaller, the high number of SMBs makes them a lucrative target group.

To learn more about our new QakBot – Infection Chain with Cobalt Strike and SystemBC Lead to Black Basta Ransomware package, visit our AttackIQ Flex product page and stay informed with our latest advisory response.

Conclusion

Staying one step ahead of the bad guy is crucial. By leveraging AttackIQ Flex’s latest package for testing against QakBot and Black Basta ransomware, SMBs can significantly enhance their security posture and protect their valuable assets. Don’t wait for an attack to happen—proactively test your defenses and ensure your business is prepared.

To get started with AttackIQ Flex, register for free today!

Key Points

1. Proactive Defense: Testing your defenses against QakBot and Black Basta ransomware with AttackIQ Flex helps uncover vulnerabilities before attackers can exploit them.
2. Comprehensive Coverage: Our package emulates the full attack chain, from QakBot initial access to Black Basta deployment, ensuring thorough testing of your security systems.
3. Real-World Scenarios: Emulate real-world attack techniques, including spearphishing, lateral movement, system discovery, and data exfiltration, to enhance your incident response.
4. Actionable Insights: Gain detailed insights into your security posture and receive actionable recommendations to strengthen your defenses against advanced threats.
5. Sector-Specific Threats: Black Basta has targeted multiple sectors, including Healthcare, Construction, and Financial Services—making it essential for SMBs in these industries to validate their defenses.