MalwareRansomwareUsed by 2 actors

Basta

Basta is a ransomware family written in C++ that encrypts local files and can delete volume shadow copies. For each file, it generates a random ChaCha20 or XChaCha20 key, encrypts that key, and appends it to the end of the file. Basta has been observed using the .basta extension, although some samples used a random nine-character alphanumeric extension.

Mandiant identifies UNC4393 as the primary active user of Basta and has tracked that cluster since mid-2022, assessing it was likely active since early 2022. The reporting indicates Basta is operated through a private, tightly controlled affiliate model rather than a publicly marketed ransomware-as-a-service program, with operators relying on partnerships or purchased access rather than open affiliate recruitment. Mandiant tracks UNC3973 separately as another cluster with distinct TTPs associated with Basta activity.

Observed initial access tied to Basta deployments heavily relied on QAKBOT infections, which were commonly delivered via phishing emails with malicious links or attachments, including HTML smuggling chains delivering ZIP, IMG, LNK, and QAKBOT payloads. After the QAKBOT disruption in late 2023, UNC4393 shifted to other access sources including DARKGATE delivered via phishing and later SILENTNIGHT intrusions, with SILENTNIGHT also delivered via malvertising. UNC4393 has demonstrated rapid operations, with a reported median time to ransom of approximately 42 hours, combining living-off-the-land techniques with custom tooling.

Malware and tooling observed alongside Basta operations include SYSTEMBC, KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, and COGSCAN. KNOTROCK is described as a .NET utility that creates symbolic links on network shares and then executes what is presumed to be a Basta ransomware executable against those links. UNC4393 also consistently used DNS BEACON activity to establish and maintain footholds, reusing distinctive DNS beacon naming conventions.

The content also notes that Basta was one of several prominent ransomware operations significantly weakened or dismantled in 2025 due to law enforcement pressure and internal conflict.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UNC4393

BASTA is a ransomware written in C++ that encrypts local files. The ransomware is capable of deleting volume shadow copies. BASTA generates a random ChaCha20 or XChaCha20 key to encrypt each file; the key is encrypted and appended to the end of the file.

via mandiant threat intelligencecloud.google.com

UNC3973

via mandiant threat intelligencecloud.google.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Lateral Movement

1 technique

T1021Remote ServicesEvidence1

KNOTROCK is a .NET-based utility that creates a symbolic link on network shares specified in a local text file. After creating each symbolic link, KNOTROCK executes what is presumably a BASTA ransomware executable and provides it with the path to the newly created symbolic link.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

GTIG observed confirmed or suspected data theft in approximately 77% of ransomware intrusions — a steep jump from 57% the year before. Attackers now frequently steal sensitive files before deploying encryption, threatening to post the stolen data publicly on leak sites even if victims manage to restore their systems from backup.

Impact

2 techniques

T1486Data Encrypted for ImpactEvidence2

BASTA is a ransomware written in C++ that encrypts local files.

T1490Inhibit System RecoveryEvidence1

The ransomware is capable of deleting volume shadow copies.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cyber security newsNews

Mar 17, 2026

Google Warns Ransomware Actors Are Shifting Tactics as Profits Fall and Data Theft Rises

A prominent ransomware-as-a-service operation noted as significantly weakened or dismantled in 2025.

security weekNews

Nov 25, 2025

Scattered Spider Activity Drops Following Arrests, but Others Adopting Group’s Tactics

Ransomware family associated with threat actor UNC4393 (as cited by Google Cloud).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.