Since April, BASHE, a ransomware group that allegedly spun off of LockBit, has been rapidly growing its reputation. They’ve claimed over twenty victims this past October.
They’re also probably lying.
BASHE Ransomware, formerly known as Eraleig, and APT73 (their claim, not an official designation), is a ransomware group that was first identified in late April 2024. They’re assumed to be threat actors who jumped ship from LockBit. This connection is suggested by similarities in their TTPs, and artifacts in the code of their onion sites (a partial copy/paste job).
Their site resembles the standard format of most ransomware threat actors, but I have to admit, it’s just the slightest bit more slick and “hacker-looking” than their predecessors’.
The group’s current name is probably a double-reference to a mythological Chinese snake, as well as a fictional cyberattack model developed by the Cyber Risk Management (CyRiM) project. In the proposed scenario, a ransomware attack against a specific cloud provider causes a chain reaction, locking up the activities of 65 million businesses. Quite the aspiration.
While Halcyon seem to get the credit for first pinging this group in April, I wanted to shout out the earliest article I could find on them, which was by Rakesh Krishnan, a threat researcher. It says not to reuse anything in there without explicit permission, so preemptive ups to Rakesh if any of the research I’ll cite from other sources here was actually forked off of or snagged from their article. It looks like it’s been updated a few times, and it still remains one of the best pieces on the group that I’ve seen (plus it has random Disney pictures in it, what’s not to love?).
Lofty Claims…or Just Full of It?
Okay, just clearing up some confusion here as I prepare to publish this one: they’ve added more targets in the time since I finished writing. The target count might be off, and the claim that the Peruvian insurance company was their latest victim isn’t technically true, anymore.
As of today (19 November), the group has claimed an impressive 44 victims since 26 April, with 21 of these supposedly in October. If this figure is to be believed, it would make them one of the fastest-growing cyber-criminal threats in recent history.
However, while these numbers are impressive and there is a very real threat posed by the group (more on that down below), they’ve been caught in the act with a number of false claims from the beginning.
Perhaps awkwardly, this article was originally going to be about these guys being one of the newest and most ambitious of the LockBit spinoffs, but I had to shift gears in the face of the evidence.
What Tipped Me Off
Their most recently reported target, a Peruvian insurance firm, apparently had its website go down with a 403 error. BASHE were sure to provide a link.
Or did it go down? While this is a possible effect of a ransomware attack, it’s certainly not common. I wouldn’t think that the group was claiming that they were responsible for this. But it seemed strange.
Internet Archive‘s Wayback Machine shows that this issue with the page linked by BASHE has been down since at least August. I did find that the company has active, functioning pages, and is still posting to its Facebook and Twitter, with no announcements indicating a ransomware incident.
So without sampling the data or contacting the target, I have to speculate and wonder, why would a ransomware threat actor be this careless and give me a broken link?
Well, the simple answer is that these people lie. Padding one’s site with attacks that never happened is becoming increasingly common, which is just the reality of the ransomware space in 2024. That said, BASHE may be one of the most egregious of these that I’ve seen. Comparitech claimed that of 13 tracked BASHE attacks (as of August 21st), only one was real. Shortly before that, when the group was going by APT73, BASHE claimed to have breached Globacap, a capital markets technology firm. However, Globacap confirmed that there had been no breach of their systems.
The Real Threat
It’s important to keep in mind that BASHE has had some successes, and they do pose something of a threat. BASHE has reportedly had some confirmed breaches of organizations across North America, the UK, France, Germany, India, and Australia. The group appears to prioritize high-value sectors (such as B2B services and IT). The group also targets transportation, logistics, healthcare, and construction.
ServicePower Technologies: In May, BASHE targeted ServicePower, a management software provider. The data targeted included user credentials and other PII.
Trifecta Technologies: In April 2024, they attacked Trifecta Technologies, a software development and consulting firm, exfiltrating 3.6 GB of data that included WiFi passwords, Salesforce credentials, security tokens, and other sensitive information.
Tactics:
There isn’t a lot at the moment that makes BASHE stand out from a tactical standpoint. They claim to do ransomware-as-a-Service, so it’s likely on whoever hires them to actually craft any campaigns. When in this early phase of development, they might be investing in credentials from Initial Access Brokers.
BASHE employs data encryption and exfiltration (like any ransomware actors), threatening to release sensitive information publicly if the ransom is not paid. Perhaps a bit more sketchy (which is saying a lot for ransomware groups) given the context of the false claims, one can pay for the stolen data before a victim’s timer has ended:
Infrastructure:
The little that’s known about BASHE‘s infrastructure at this point does indicate a degree of harmful potential. The group’s infrastructure is hosted by Romanian provider, M247 Europe SRL, and utilizes ASN AS9009 (think of this as a specific cluster of servers used by thousands of different entities), which has been associated with other illicit activities. BASHE is likely either comprised of experienced threat actors, or, at the very least, rubs shoulders with them.
Keep in mind that this doesn’t mean that M247 aren’t a legitimate company, and that normal traffic doesn’t go through ASN AS9009, but there is some reason for concern:
- According to Vectra, it’s a cluster that’s been used to support Meduza Stealer, TrickBot, variants of Mirai, and some other heavy-hitting malware.
- This report by Check Point indicates that entities utilizing AS9009 may have been involved in a credential phishing attack related to Moldovan disinformation campaigns.
- AS9009 has demonstrated an extremely high spam rate, with 19.14% of its IP addresses (totaling 24,784 active addresses) implicated in spam activities. For reference, in 2024, a spam rate over 0.3% is considered problematic.
- Several IP addresses within this AS have been repeatedly reported for illicit activities over extended periods.
- The AS operates networks in numerous countries on several continents. This is unusual for a single entity and can be indicative of a large-scale operation.
- One of the sites hosted on the AS is Encrypthub.net, a known malware host.
Current Status:
As of November 2024, BASHE poses a significant threat, despite seeming to be mostly bark, with little bite. Their TTPs closely resemble those of LockBit, and they likely have a shared lineage. It can’t be understated that LockBit was able to cause billions of dollars in damage over a few short years. Ransomware actors do not discriminate, and will as soon tie up a hospital or a school district as they would an arms manufacturer.
With the increased scrutiny from international law enforcement on the major ransomware actors like BlackBasta and Hive, it’s my opinion that more of these similarly-competent upstarts will be flying under the radar. Yes, ransomware attacks are starting to reduce in frequency, but ransomware groups remain the single biggest non-state threats to most online entities. And they all start out as similarly dishonest and cringe-worthy as BASHE.