Overview
In mid-2022, Mandiant’s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant’s initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster’s victims, with the Black Basta data leak site purporting over 500 victims since inception.
Over the course of this blog post, Mandiant will detail the evolution of UNC4393’s operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster’s transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques.
Figure 1: UNC4393 intrusion lifecycle
<
div class=”block-paragraph_advanced”>
Attribution and Targeting
UNC4393 is a financially motivated threat cluster, and the primary user of BASTA ransomware, tracked since mid-2022 but likely active since early 2022 based on activity on the BA
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: