The Black Basta ransomware exploits Quakbot for lateral movement. NCC Group cybersecurity experts: The malware was leveraged to remotely create a temporary service on a target host, configured to execute the DLL using regsvr32.exe

Black Basta ransomware exploits Quakbot (Qbot) for lateral movement. It has been discovered by NCC Group cybersecurity experts. The goal is to maintain the presence on the network. The threat actor was also observed using Cobalt Strike beacons during the compromise. Moreover, prior to the deployment of the ransomware, the cybercrime gang established RDP sessions to Hyper-V servers and from there modified configurations for the Veeam backup jobs and deleted the backups of the hosted virtual machines. Furthermore, during the intrusion, steps were taken in order to prevent interference from anti-virus. The threat actor was observed using two main techniques to disable Windows Defender.