Listen to this Post
In recent cybersecurity investigations, a notable trend has emerged linking two prominent ransomware families: Black Basta and CACTUS. Both have been found to use the same BackConnect (BC) module, raising suspicions that the affiliates behind Black Basta may have shifted to the CACTUS group. This analysis uncovers the techniques, tactics, and procedures (TTPs) being employed by these threat actors, as well as the potential overlap between the two ransomware campaigns.
Findings
Research reveals that both Black Basta and CACTUS ransomware groups are utilizing the same BackConnect module for maintaining remote control over infected systems. This BackConnect, also known as QBACKCONNECT due to its ties to the QakBot loader, provides attackers the ability to execute commands, steal sensitive data, and carry out various forms of exploitation. Trend Microās recent analysis highlights the strategic role of this BC module in facilitating the attackers’ post-infection activities.
In the past year, Black Basta has increasingly relied on email bombing tactics to trick targets into installing Quick Assist, a legitimate Windows tool, which then serves as an entry point for the malware. The threat actors then sideload a malicious DLL loader, REEDBED, using legitimate Microsoft update tools. The same tactics have been observed in CACTUS ransomware attacks, though CACTUS seems to go a step further, incorporating lateral movement and data exfiltration into their campaigns. The overlap in the tactics and tools used strongly suggests that affiliates from Black Basta may now be operating under the CACTUS banner.
What Undercode Say:
The convergence of techniques used by both Black Basta and CACTUS ransomware groups paints a clear picture of evolving cybercriminal tactics. The shared use of the BackConnect (QBACKCONNECT) module suggests a level of coordination or transition, where former Black Basta affiliates may have merged into or begun operating with the CACTUS group. This transition indicates a significant shift in ransomware group dynamics, where former associates leverage established tools and tactics to maintain their illicit operations under a new identity or banner.
Email Bombing and Quick Assist
The use of email bombing tactics by Black Basta to trick victims into installing Quick Assist is a particularly concerning development. This method relies on social engineering, where the attacker impersonates IT support or helpdesk personnel to convince the target to allow remote access. Quick Assist, a legitimate Windows tool designed to facilitate remote assistance, is often exploited in these attacks. Once installed, it opens the door for the attackers to deploy malicious payloads, such as the REEDBED DLL loader, which ultimately decrypts and runs the BackConnect module.
This use of social engineering tactics is a growing concern, as it bypasses traditional security defenses by leveraging legitimate, trusted software tools to gain unauthorized access to systems. The fact that this approach is now being seen in both Black Basta and CACTUS attacks further demonstrates the evolution of ransomware operations, where cybercriminals are increasingly blending sophisticated technical methods with social engineering to maximize their success.
REEDBED and Data Exfiltration
In addition to deploying BackConnect for remote access, CACTUS ransomware operators have been observed using similar tactics but with an additional focus on lateral movement and data exfiltration. After gaining initial access, the attackers use the BackConnect module not only to maintain control but also to navigate through the victimās network and exfiltrate valuable data. This represents an evolution from earlier ransomware campaigns that focused primarily on encryption and ransom demands.
Data exfiltration is an increasingly common element in modern ransomware attacks, with attackers using stolen data as leverage for extortion or even selling it on the dark web. This shift in tactics highlights the growing sophistication of ransomware groups, where they not only encrypt data but also compromise the victim’s reputation and operations by stealing sensitive information.
The Leaked Chat Logs and Credential Sharing
One of the most significant revelations from the recent Black Basta chat log leaks is the level of internal collaboration and credential sharing within the group. The leaks exposed how members of Black Basta were sharing valid credentials, many of which were sourced from information stealer logs. This highlights a deeper, more coordinated approach to gaining access to target systems, making it more difficult for traditional defenses to stop the attackers before they gain a foothold.
The use of stolen credentials, particularly from information stealers, is a key tactic that highlights the complex and multi-layered nature of modern ransomware campaigns. By using previously stolen or leaked credentials, attackers can bypass some of the traditional security defenses like two-factor authentication, which would otherwise serve as a barrier.
RDP and VPN Exploits
Remote Desktop Protocol (RDP) and VPN endpoints remain a significant attack vector for ransomware groups. These access points are often used as initial vectors in attacks, providing attackers with the means to infiltrate networks and launch their payloads. The increasing reliance on RDP and VPN vulnerabilities underscores the importance of securing these services against unauthorized access, as they are prime targets for threat actors seeking to deploy ransomware.
The fact that both Black Basta and CACTUS groups are leveraging RDP and VPN exploits as part of their TTPs shows that threat actors are evolving to take advantage of vulnerabilities in remote access technologies, further amplifying the risk posed to organizations that rely on such systems for their daily operations.
Fact Checker Results
- BackConnect (QBACKCONNECT) module has been documented in attacks by both Black Basta and CACTUS groups, confirming a shared toolset between the two.
- The exploitation of Quick Assist and email bombing tactics by Black Basta and CACTUS aligns with prior observations of similar ransomware campaigns, substantiating the connection between the two groups.
- The transition of Black Basta affiliates to CACTUS is plausible based on the observed overlap in tactics, techniques, and procedures, supporting claims of group migration.
References:
Reported By: https://thehackernews.com/2025/03/researchers-link-cactus-ransomware.html
Extra Source Hub:
https://www.reddit.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
