Unveiling the Persistence of Current Ransomware Threats, The Qakbot and Knight Malware Connection
Despite the Qakbot’s elimination in August, Talos reports that threat actors are distributing Knight malware, adding to current ransomware threats, with regional targeting and the potential for a resurgence. (Photo: blackberry)
Analyzing the Persistence of Qakbot Threat Actors and Their Shift to Knight Ransomware
According to csoonline.com, despite a successful law enforcement operation that effectively eliminated the Qakbot banking Trojan in August, the individuals responsible for this threat continue to pose a danger to users. Cisco’s Talos threat intelligence group has reported with “moderate confidence” that these threat actors are actively engaged in a new campaign, where they are distributing a variant of the Knight malware, which underwent a rebranding as Cyclops in July.
Knight, functioning as ransomware, extorts money from companies by menacingly threatening to sell stolen data, thereby perpetuating its role in current ransomware threats. Talos conducted their analysis by examining drive serial numbers within LNK file metadata from computers linked to previous Qakbot attacks. Despite the threat actors’ attempts to erase metadata, Talos successfully identified a machine connected to these attacks.
Interestingly, some of the filenames were in Italian, suggesting a regional targeting strategy in the context of current ransomware threats. These LNK files are disseminated within Zip archives containing XLL files. Upon opening these XLL files, the Remcos backdoor is installed, working in tandem with the Knight malware to gain access to systems and further contribute to current ransomware threats.
READ ALSO: Girl Detained in Dubai, Elizabeth Polanco De Los Santos, Returns Safely to the US After Ordeal
Qakbot Actors as Knight Ransomware Customers: Assessing the Ongoing Threat Landscape
It’s important to note that the Qakbot actors are likely not the creators of the Knight ransomware service itself; rather, they are customers of this service. The FBI-led operation that dismantled Qakbot’s command-and-control servers in August did not affect the group’s phishing infrastructure, potentially allowing for a resurgence of the threat and adding to the landscape of current ransomware threats.
Qakbot initially posed a significant and ingenious threat, infiltrating Exchange servers at third-party organizations to modify legitimate emails and insert the Qakbot payload into legitimate message threads, effectively contributing to the landscape of current ransomware threats. In summary, despite the law enforcement operation in August, the Qakbot threat remains as the threat actors pivot to distributing the Knight malware, persistently posing a risk to users and highlighting the ongoing landscape of current ransomware threats.
Talos’ analysis indicates regional targeting and the potential for a resurgence due to the unaffected phishing infrastructure, further emphasizing the evolving nature of current ransomware threats. Qakbot’s initial method of infiltration through hijacked Exchange servers showcased its significant and clever nature, which continues to be a significant factor in the realm of current ransomware threats to organizations and individuals alike.
READ ALSO: Living in Tucson’s Fairfield Community, Cacti Theft Wave Sparks Vigilance and Concern
