| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC3973 is a financially motivated threat actor tracked by Mandiant, distinguished from the broader BASTA ransomware ecosystem (primarily tracked as UNC4393) due to its unique operational characteristics and TTPs. This actor has demonstrated a specific focus on supply chain compromises, as evidenced by their June campaign targeting credit unions in western Canada via a compromised managed service provider (MSP). UNC3973 leverages unauthorized service accounts with elevated privileges, specifically domain administrator accounts shared between the compromised MSP and the target organizations, to gain initial access.This actor's post-exploitation activity includes attempts to disable security controls and deploy the SYSTEMBC tunneler for command and control (C2) communication, followed by attempts to deploy BASTA ransomware. While their attempts to deploy both SYSTEMBC and BASTA have been observed, these were thankfully thwarted by endpoint security solutions in observed instances. The targeted, supply chain-enabled nature of UNC3973's intrusions, coupled with its use of privileged shared accounts and attempts at deploying BASTA, all suggest that it is an exclusive group, perhaps even affiliates working closely with or possibly operating under the direct control, BASTA ransomware operators. This group's ability to exploit centralized access points, like MSPs, represents a significant threat to organizations reliant on third-party providers.
| 2025-03-03
⋅
Trend Micro
⋅
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal Black Basta Black Basta Cactus ReedBed |
| 2025-02-22
⋅
CrowdStrike
⋅
Wandering Spider Black Basta Black Basta GOLD REBELLION |
| 2024-12-04
⋅
Rapid7
⋅
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware Black Basta Cobalt Strike DarkGate SystemBC Zloader |
| 2024-10-25
⋅
Reliaquest
⋅
ReliaQuest Uncovers New Black Basta Social Engineering Technique Black Basta |
| 2024-08-12
⋅
Rapid7
⋅
Ongoing Social Engineering Campaign Refreshes Payloads Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC |
| 2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 |
| 2024-07-29
⋅
Microsoft
⋅
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption Black Basta Black Basta Storm-0506 |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta UNC4393 |
| 2024-06-12
⋅
Symantec
⋅
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day Black Basta |
| 2024-05-15
⋅
Stairwell
⋅
Stairwell threat report: Black Basta overview and detection rules Black Basta Black Basta |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot UNC4393 |
| 2024-05-15
⋅
Microsoft
⋅
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware Black Basta Cobalt Strike QakBot SystemBC |
| 2024-05-10
⋅
CISA
⋅
AA24-131A: #StopRansomware: Black Basta Black Basta Black Basta |
| 2024-05-10
⋅
Rapid7 Labs
⋅
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators Black Basta Black Basta Cobalt Strike NetSupportManager RAT |
| 2024-02-28
⋅
Security Intelligence
⋅
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023 404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos |
| 2023-11-16
⋅
YouTube (Swiss Cyber Storm)
⋅
Resilience Rising: Countering the Threat Actors Behind Black Basta Ransomware Black Basta |
| 2023-06-27
⋅
SecurityIntelligence
⋅
The Trickbot/Conti Crypters: Where Are They Now? Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot |
| 2023-04-20
⋅
Mandiant
⋅
M-Trends 2023 Mandiant Special Report UNC3973 UNC4393 |
| 2023-04-19
⋅
Bleeping Computer
⋅
March 2023 broke ransomware attack records with 459 incidents Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom |
| 2023-04-18
⋅
Mandiant
⋅
M-Trends 2023 QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate |
| 2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
| 2023-03-20
⋅
PWC
⋅
Cyber Threats 2022: A Year in Retrospect Black Basta Black Basta Earth Lusca GOLD REBELLION |
| 2023-03-15
⋅
Reliaquest
⋅
QBot: Laying the Foundations for Black Basta Ransomware Activity Black Basta QakBot |
| 2023-01-25
⋅
Quadrant Information Security
⋅
Technical Analysis: Black Basta Malware Overview Black Basta Black Basta |
| 2023-01-23
⋅
Kroll
⋅
Black Basta – Technical Analysis Black Basta Cobalt Strike MimiKatz QakBot SystemBC |
| 2022-12-01
⋅
Zscaler
⋅
Back in Black... Basta - Technical Analysis of BlackBasta Ransomware 2.0 Black Basta |
| 2022-11-23
⋅
Cybereason
⋅
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies Black Basta QakBot |
| 2022-11-03
⋅
Sentinel LABS
⋅
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor Black Basta |
| 2022-11-03
⋅
SentinelOne
⋅
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor Black Basta QakBot SocksBot |
| 2022-10-12
⋅
Trend Micro
⋅
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike Black Basta Brute Ratel C4 Cobalt Strike QakBot |
| 2022-09-08
⋅
Sentinel LABS
⋅
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection AgendaCrypt Black Basta BlackCat PLAY |
| 2022-09-01
⋅
Trend Micro
⋅
Ransomware Spotlight Black Basta Black Basta Cobalt Strike MimiKatz QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta QakBot |
| 2022-08-25
⋅
Palo Alto Networks Unit 42
⋅
Threat Assessment: Black Basta Ransomware Black Basta |
| 2022-08-22
⋅
Microsoft
⋅
Extortion Economics - Ransomware’s new business model BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-08-15
⋅
SecurityScorecard
⋅
A Deep Dive Into Black Basta Ransomware Black Basta |
| 2022-07-20
⋅
Kaspersky
⋅
Luna and Black Basta — new ransomware for Windows, Linux and ESXi Black Basta Conti |
| 2022-06-30
⋅
Trend Micro
⋅
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit Black Basta Cobalt Strike QakBot |
| 2022-06-28
⋅
GBHackers on Security
⋅
Black Basta Ransomware Emerging From Underground to Attack Corporate Networks Black Basta |
| 2022-06-06
⋅
NCC Group
⋅
Shining the Light on Black Basta Black Basta |
| 2022-06-01
⋅
Avertium
⋅
An In-Depth Look At Black Basta Ransomware Black Basta |
| 2022-05-26
⋅
IBM
⋅
Black Basta Besting Your Network? Black Basta |
| 2022-05-20
⋅
AdvIntel
⋅
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive |
| 2022-05-09
⋅
Trend Micro
⋅
Examining the Black Basta Ransomware’s Infection Routine Black Basta |
| 2022-04-29
⋅
The Record
⋅
German wind farm operator confirms cybersecurity incident Black Basta BlackCat |
| 2022-04-27
⋅
BleepingComputer
⋅
New Black Basta ransomware springs into action with a dozen breaches Black Basta |
| 2022-04-26
⋅
Bleeping Computer
⋅
American Dental Association hit by new Black Basta ransomware Black Basta |