UNC3944 is Now a Ransomware Group

The financially motivated group known as UNC3944 has shifted its focus towards deploying ransomware as part of its efforts to expand its revenue streams, according to the latest report by Mandiant, a prominent threat intelligence firm.

More details

Mandiant’s analysis highlights UNC3944’s increased emphasis on stealing significant volumes of sensitive data for extortion. Notably, the group possesses a deeper understanding of Western business practices, possibly due to the diverse geographic composition of its members. 

It’s worth noting that UNC3944 has consistently employed publicly available tools and legitimate software, often combined with malware acquired from underground forums.

How did it start?

Initially targeting telecom and business process outsourcing (BPO) firms, UNC3944 has broadened its scope to encompass various sectors, including hospitality, retail, media, entertainment, and financial services. This expansion underscores the growing threat posed by the group.

Modus operandi of UNC3944

• It involves using stolen credentials to impersonate employees when contacting an organization’s service desk. 
• They aim to obtain multi-factor authentication (MFA) codes and password resets. Notably, Okta recently warned its customers about these same attacks. The cybercriminals call victims’ IT help desks, convincing support personnel to reset MFA codes for high-privilege employees granting them access to valuable accounts.

• UNC3944 has also employed various information stealers (e.g., Atomic, ULTRAKNOT, Meduza) and credential theft tools (e.g., MicroBurst) to gain privileged access, furthering their objectives.

• The group utilizes commercial, residential proxy services to evade detection to access victims using legitimate remote access software. 
• Extensive directory and network reconnaissance are also part of their tactics to escalate privileges and maintain persistence.

What could take you down? UNC3944 exploits the victim organization’s cloud resources for hosting malicious utilities. This includes disabling firewalls and security software, underscoring the group’s evolving methods.

What else can you expect?

Recent developments reveal UNC3944’s affiliation with the BlackCat (aka ALPHV or Noberus) ransomware gang. This association enabled them to breach MGM Resorts and distribute file-encrypting malware. 

Mandiant emphasizes that the threat actors operate swiftly, accessing critical systems and exfiltrating substantial data within a matter of days. When deploying ransomware, they target business-critical virtual machines and systems, likely to maximize the impact on their victims.

Come back to basics, stay secure!

Investing in proactive threat intelligence, regular security audits, and employee awareness programs is the key to organizational security. Staying one step ahead adapting strategies and defenses to counter the evolving tactics of threat actors like UNC3944 is a priority. 

The idea is to be secure and start from the basics.