"Quakbot" active again in Switzerland
Cybercriminals are again increasingly abusing legitimate company email conversations as a pretext for directing victims to supposed links. This primarily affects companies where employees who are directly contacted are used as a gateway for attacks with ransomware.
In recent weeks, the National Cyber Security Center (NCSC) has reported renewed activity of the "QuakBot" malware in Switzerland. Quakbot (also known as "Qbot") is an encryption Trojan that can be spread via e-mail. The cybercriminals take advantage of existing email conversations that have previously fallen into the hands of cyber crooks, the NCSC said in a statement writes. These can be, for example, conversations with suppliers and customers, which are abused as a gateway to penetrate corporate networks unnoticed and then spread ransomware. As a result of a Quakbot infection, corporate data is typically encrypted and companies are asked to pay a ransom by the attackers. The NCSC strongly advises against paying ransomware and instead to file a report with law enforcement immediately.
For businesses, the NCSC also recommends the following measures:
- Block the receipt of dangerous email attachments on your email gateway, this includes Office documents with macros. A recommendation of which to block
File attachments can be found at www.govcert.ch/downloads/blocked-filetypes.txt. - If your company does not use Microsoft OneDrive for business purposes,
the NCSC recommends that, at least temporarily, access to Microsoft OneDrive (onedrive.live.com) on the security perimeter (e.g. firewall, web proxy, etc.). - Block access to known QakBot botnet C&C servers on your security perimeter (e.g. firewall, web proxy, etc.) using the Feodo tracker blocklist.
- Block access to websites on your security perimeter (e.g. firewall, WebProxy, etc.) that are currently used for malware distribution.
