The Black Basta ransomware group [1] [2], also known as UNC4393 [1], has recently shifted tactics in response to disruptions and law enforcement efforts.
Description
They have transitioned from using phishing to leveraging initial access brokers and custom tools for their attacks. Following the takedown of the Qakbot botnet [2], the group has evolved to compromise over 500 victims by adapting to disruptions [2]. Mandiant has identified them as UNC4393 and noted their transition from using publicly available tools to developing custom malware for their malicious activities [2]. The group now uses SilentNight malware for initial access, with DawnCry memory-only dropper and DaveShell loader delivering the PortYard tunneler for network foothold [1]. Recent attacks also feature living off the land binaries [1], CogScan NET reconnaissance tool [1], SystemBC tunneler [1], KnowTrap memory-only dropper [1], and KnockTrock NET-based utility for BASTA ransomware executable injections [1].
Conclusion
The Black Basta ransomware group’s shift in tactics highlights the need for enhanced cybersecurity measures to mitigate the risk of future attacks. Organizations should stay vigilant and update their security protocols to defend against evolving threats posed by groups like UNC4393.
References
[1] https://www.scmagazine.com/brief/stealthier-malware-tools-leveraged-by-black-basta-ransomware
[2] https://www.darkreading.com/threat-intelligence/black-basta-develops-custom-malware-in-wake-of-qakbot-takedown