Intel Name: Black basta and cactus ransomware groups add backconnect malware to their arsenal
Date of Scan: March 4, 2025
Impact: High
Summary: “Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal” refers to the use of BackConnect malware by these ransomware groups, as part of their evolving tactics. Attackers exploited social engineering, Microsoft Teams, Quick Assist, and tools like OneDriveStandaloneUpdater.exe to gain initial access and escalate privileges. The malware, linked to QakBot, enabled persistent control over compromised machines. Additionally, attackers used WinSCP for further exploitation and hosted malicious files on misconfigured cloud storage services. These activities were primarily observed in North America and Europe, with the US being the hardest hit.
