Adrian Johnson
TLDR:
– UNC4393, the primary user of BASTA ransomware, has attacked over 40 business entities and 20 industry verticals, with a recent focus on healthcare firms.
– The group operates through partnerships rather than recruiting affiliates, making it more effective at obtaining ransoms.
In mid-2022, Mandiant’s Managed Defense first uncovered UNC4393 as the main user of BASTA ransomware. This financially motivated threat cluster has targeted over 40 business entities and 20 industry verticals, specifically focusing on healthcare firms. The group primarily gains initial access through QAKBOT botnet infections, using distribution methods like phishing emails and HTML smuggling techniques.
Unlike other ransomware-as-a-service models that recruit affiliates, BASTA operates on private or small-closed invitation systems to target underground partnerships for access rather than selling its services. This tactic allows UNC4393 to operate more effectively in obtaining ransoms, taking just about 42 hours more than other players in the field.
Following the dismantling of QAKBOT botnet, UNC4393 started using tailored malware and different initial access methods to replace ready-made tools in its arsenal. The group’s intrusion lifecycle involves living-off-the-land techniques, custom malware like DNS BEACON, and an infection chain that includes tools like DAWNCRY, DAVESHELL, and PORTYARD.
UNC4393’s persistence methods have evolved over time, from RMM software to tunnels and tunnellers. The group’s drive-by attack tactics now involve using the KNOTROCK tool to speed up the encryption process. Despite a recent decline in victims, UNC4393 remains a significant threat due to its focus on data exfiltration, personalized malware creation, and multifaceted blackmail techniques.
