The Black Basta ransomware group has now partnered with the QBot (QuakBot) malware operation to spread through organizations. QBot is a Windows malware that steals bank credentials, Windows domain credentials, and delivers various malware on already infected devices. QBot began as a banking trojan and evolved over time with a new agenda and features. It is typically spread through phishing emails that contain malicious attachments. This is not the first collaboration QBot has had with a ransomware gang. They previously teamed up with MegaCortex, ProLock, DoppelPaymer, and Egregor. Unlike normal ransomware groups which use Qbot for initial access, Black Basta is using them for persistence within the network as well according to NCC Group, who identified the collaboration during an incident response engagement. Most notably, the group is using QBot to move laterally across networks and execute PowerShell commands that can disable Windows Defender and help them remain undetected.
Relationships between QBot and ransomware actors are not new, but this one is different than those previously witnessed. With the use of QBot for persistence, it could make this ransomware group more effective when exfiltrating and encrypting data. Standard best practices should always be in place for organizations when it comes to protecting against ransomware operators. Since QBot is mainly spread through phishing emails, organizations should ensure they are training their employees the best they can on how to spot phishing emails and to not open anything from unknown senders which they were not expecting.