TRENDING:

Fraud Management & Cybercrime , Ransomware

Mandiant Uncovers Threat Group Behind Basta Ransomware

UNC4393 Is a Financially Motivated Threat Group Active Since 2022 Akshaya Asokan (asokan_akshaya) • July 31, 2024    
Mandiant Uncovers Threat Group Behind Basta Ransomware
Image: Shutterstock

A newly identified financially motivated hacking group is deploying Basta ransomware as part of an ongoing extortion campaign that began early this year.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

Google Mandiant, which uncovered the campaign, tracks the group as UNC4393.

Since Basta is not publically marketed and is available on invitation-only basis, Mandiant researchers believe UNC4393 is likely the "primary user of Basta ransomware."

"The hundreds of Basta ransomware victims claimed on the data leak sites appear credible due to UNC4393's rapid operational tempo," Mandiant said, adding that the median time the group takes to ransom a victim is approximately 42 hours. "UNC4393 has demonstrated proficiency in quickly performing reconnaissance, data exfiltration, and completing actions on objectives."

The hacking group relies on initial access brokers for network access. These include two affiliates, which Mandiant tracks as UNC2633 and UNC2500, who uses phishing emails containing QakBot for network compromise. Based on the analysis of the affiliates' operations, the researchers estimates the actors are likely linked to defunct Trickbot and Conti groups.

Following the disruption of the malware by the FBI and other international law enforcement agencies, the group began to rely on other malware variants called DarkGate for initial access.

After gaining initial access, UNC4393 uses a number of open-source attack mapping tools, such as BloodHound, AdFind and PSnmap, to analyze the victim's network.

The attackers use credentials and brute-forcing methods to authenticate externally facing network appliances or servers. While the group manually deployed Basta during its earlier days, it began to deploy Knotrock, a custom .NET-based utility, to deliver Basta. The utility offers capabilities such as quicker encryption during large-scale attacks.

In one instance, the researchers observed the group relying on a malware variant that has been inactive since 2023 called SilentNight to gain persistence and bypass security detection, Mandiant said.

"This most recent surge of SilentNight activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393's only known means of initial access."

Previous
Western Sydney University Reveals Major Data Breach
Next
US CISA Appoints 1st Chief AI Officer to Boost Cyber Defense

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.



Around the Network

Cyber Insurers Are Intensely Scrutinizing Healthcare Clients
Cyber Insurers Are Intensely Scrutinizing Healthcare Clients
Study: 92% of Healthcare Firms Hit by Cyberattacks This Year
Study: 92% of Healthcare Firms Hit by Cyberattacks This Year
Who Will Take the Lead in Setting Healthcare AI Regulations?
Who Will Take the Lead in Setting Healthcare AI Regulations?
Clinical Considerations When Recovering From Ransomware
Clinical Considerations When Recovering From Ransomware
Court's Web Tracker Ruling: What HIPAA Entities Should Know
Court's Web Tracker Ruling: What HIPAA Entities Should Know
How Mega Attacks Are Spotlighting Critical 3rd-Party Risks
How Mega Attacks Are Spotlighting Critical 3rd-Party Risks
Eliminating the Need for Stored Credentials in Healthcare
Eliminating the Need for Stored Credentials in Healthcare
Identity Security: How to Reduce Cyber Risk in Manufacturing
Identity Security: How to Reduce Cyber Risk in Manufacturing
Oswal: AI, Platformization Key to Network Security Evolution
Oswal: AI, Platformization Key to Network Security Evolution
Top 'Privacy by Design' Considerations for Medical Devices
Top 'Privacy by Design' Considerations for Medical Devices

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.

  翻译: