"Basta Ransomware Operator Tactics Undergo 'Notable Shift'"
Over the past year, "UNC4393," a threat group that infects targets with the "Basta" ransomware, has changed how it gains initial access to victims. The threat group previously relied on existing "Qakbot" infections, delivered through phishing attacks, for initial access. After US law enforcement took down Qakbot infrastructure last year, the threat group shortly used "DarkGate" malware as an initial access loader before switching to the "SilentNight" backdoor this year. According to Mandiant researchers, malvertising has driven this year's SilentNight surge. UNC4393's initial access no longer relied on phishing. Aside from SilentNight, the group has broadened its initial access strategy in other ways. In recent February campaigns, UNC4393 used stolen credentials and brute-force methods in attacks aimed at deploying ransomware or conducting data theft extortion. This article continues to discuss changes made by the UNC4393 threat group.
Decipher reports "Basta Ransomware Operator Tactics Undergo 'Notable Shift'"
Submitted by grigby1