Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Apt73/Bashe ransomware recovery team on standby
APT73, rebranding as Bashe in mid-2024, has claimed over 60 victims worldwide through aggressive double extortion, publishing stolen data rapidly to pressure Fortune 500 targets into paying. Do not attempt containment or negotiation alone — isolate affected systems immediately and engage UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Apt73/Bashe attack can make a huge difference and help you make a full recovery. Request 24/7 Apt73/Bashe ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Bashe differentiates itself through aggressive victim-shaming tactics, publishing victim names, logos, executive photographs, and organizational charts on their leak site to maximize reputational pressure and trigger regulatory notification obligations, increasing likelihood of ransom payment.
Bashe primary access comes via phishing campaigns delivering malicious documents or custom exploits against vulnerabilities in public-facing applications. The gang conducts preliminary reconnaissance to identify high-value targets before launching attacks.
Unlike commodity ransomware targeting SMBs, Bashe specifically targets Fortune 500 technology companies, healthcare organizations, and financial institutions, suggesting both technical sophistication to compromise defended networks and ransom calculation based on victim wealth.
The gang exfiltrates terabytes of data before encryption, including intellectual property, source code, financial records, and healthcare data. Exfiltration timelines are rapid—48-72 hours—suggesting pre-staging of data movement tools.
Bashe is believed founded by a former LockBit affiliate following FBI disruption of LockBit in February 2024, leveraging similar TTPs including phishing, exploit chains, and double extortion infrastructure.
No legitimate public decryptor exists. Bashe uses RSA-4096 encryption with unique keys per victim. Recovery requires offline backups or ransom payment with extreme caution. Law enforcement coordination may enable key recovery from seized infrastructure, though historical success rate is low.
Specific file extensions and ransom note names are not publicly well-documented, suggesting technical details are withheld from public sources. Search for suspicious data exfiltration activity (large file transfers to cloud storage), credential access from unusual IP addresses, and phishing emails with malicious attachments.
File Extensions
Not publicly documented; varies by campaign; likely customizable by operator
Ransom Note Filenames
Not publicly documented; likely includes contact instructions via encrypted messaging
Bashe Hashes
SHA256 hashes not widely available in public threat intelligence. Static signature detection is unreliable; behavioral analysis required.
Bashe Tools
Phishing: Custom malicious Office documents with macro payloads
Exploitation: Public-facing application exploits (details not disclosed)
Credential Dumping: Mimikatz, LSASS process injection
Lateral Movement: SMB lateral movement, RDP, PsExec
Data Exfiltration: Likely rclone or legitimate cloud storage tools for high-volume transfers
Encryption: Custom RSA-4096 implementation
Most Common Red Flag
Spear-phishing emails to high-level employees (executives, IT staff) with malicious Office documents, combined with unusual data exfiltration patterns (large file transfers to cloud storage), credential access from unusual geographies, and discovery of credential dumping artifacts (LSASS process injection, registry modifications).
Attack vector | % of Bashe incidents | Notes |
Spear-Phishing with Malicious Documents | 50% | Targeted at C-suite and IT leadership |
Public-Facing Vulnerability Exploitation | 30% | Custom exploits against unpatched services |
Supply Chain Compromise | 10% | Compromise of service providers or vendors |
Supply Chain Compromise | 10% | Purchased credentials from prior breaches |
Bashe publicly leaked an entire Fortune 500 technology company’s source code repository and executive communications; organization paid ransom despite data release, attempting damage control. A healthcare organization refused payment; executives’ private emails were released on the leak site, triggering regulatory investigation. A financial institution negotiated ransom down by 70% through law enforcement coordination.
Isolate all systems with suspicious data exfiltration activity from network immediately. Assume all credentials compromised; implement forced password reset network-wide with MFA enforcement. Scan for and remove scheduled tasks, malicious Office macros, and persistence mechanisms. Restore from verified offline backups. Engage law enforcement immediately—FBI/CISA coordination may enable infrastructure disruption.
Complete recovery requires restoration from offline backups created prior to infection. Assume all credentials compromised; implement new administrative accounts with hardware-backed authentication. Implement zero-trust network architecture to prevent lateral movement in case of re-infection. Notify affected parties of data breach; engage legal/regulatory counsel for GDPR, HIPAA, or other compliance obligations. Monitor for re-exploitation attempts for 6+ months.
Bashe demands range from $2 million to $25 million+ for Fortune 500 targets, typically 5-20% of annual revenue. Demands are negotiable through professional negotiators. Reported settlement rates are 20-40% of initial demand. Law enforcement coordination is strongly recommended—negotiation via FBI may recover keys without payment.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowAPT73, rebranded as Bashe in 2024, is a sophisticated double-extortion ransomware group claiming nation-state affiliation (though not verified). The gang specifically targets critical infrastructure, technology, healthcare, and finance sectors, employing phishing, public-facing vulnerability exploitation, and massive data exfiltration before encryption. The group differentiates itself through aggressive victim-shaming tactics, publicly naming executives and releasing internal communications to maximize reputational and regulatory pressure.
Attribution analysis suggests Eastern European or Russian-based operations based on infrastructure patterns, operational tempo (UTC+2 to UTC+3), and TTPs similar to former LockBit affiliates. The gang claims APT designation but no verified nation-state affiliation has been published. Geographic targeting of Fortune 500 companies worldwide suggests international operational capacity.
Bashe conducts targeted reconnaissance of victim organizations, identifying high-value targets (Fortune 500, critical infrastructure). Initial access comes via spear-phishing campaigns delivering malicious Office documents with macro payloads, or exploitation of unpatched public-facing vulnerabilities. Operators establish persistence via scheduled tasks or WMI event subscriptions, conduct internal reconnaissance, exfiltrate terabytes of sensitive data, and deploy ransomware encryptor.
From initial phishing delivery to ransom note deployment, Bashe attacks average 10-21 days of dwell time, allowing for data exfiltration and credential harvesting. Some advanced incidents show 1+ month pre-encryption reconnaissance, suggesting careful victim selection and operational patience.
No legitimate public decryptor exists. RSA-4096 encryption is cryptographically secure. Law enforcement coordination with international partners may enable key recovery from seized infrastructure, though success rate is low. Ransom payment provides no guarantee of key return or data deletion—gang track record shows data release post-payment in 60%+ of cases.
All encrypted files become inaccessible; the gang publishes victim names, logos, executive photographs, and extracted data samples on their leak site to maximize reputational damage and regulatory pressure. For publicly traded companies, this triggers stock price impacts and shareholder lawsuits. For healthcare organizations, HIPAA breach notifications and fines follow. The gang threatens permanent data release if ransom is not paid within 7-14 days.
Implement multi-factor authentication on all email, remote access, and administrative accounts. Conduct regular phishing simulations to reduce click rates on malicious emails. Patch all internet-facing services within 48 hours of CVE release. Implement email filtering to block malicious Office attachments or restrict macro execution. Monitor for unusual data exfiltration patterns (large file transfers, credentials access from unusual geographies). Maintain offline, immutable backups. Engage law enforcement early if compromise is suspected.
– Enforce MFA on all email accounts, especially executive/IT staff
– Implement email filtering to block Office macros from untrusted sources or disable macros enterprise-wide
– Conduct monthly phishing simulations with security awareness training
– Patch all internet-facing services (VPN, RDP, web applications) within 48 hours
– Monitor for unusual data exfiltration (large file transfers, cloud storage access)
– Implement EDR with detection rules for credential dumping (Mimikatz, LSASS injection)
– Maintain offline, encrypted backup copies tested quarterly
– Implement network segmentation to isolate sensitive data
– Establish incident response plan and contact information for law enforcement
– Conduct quarterly tabletop exercises for data breach scenarios
Data exfiltration before encryption serves multiple strategic purposes:
1) Creates leverage via threat of public release if ransom is not paid
2) Enables the gang to extract value from data through resale or intelligence collection
3) Maximizes pressure through multi-vector extortion (encryption + data threat + victim-shaming)
4) Allows data monetization even if victim refuses ransom payment
Victim-shaming is a tactic where Bashe publishes victim names, executive photographs, logos, and internal communications on their leak site, triggering regulatory notification obligations (GDPR, HIPAA, state breach laws) and reputational damage beyond the ransomware encryption itself. This tactic significantly increases victim pressure to pay ransom even without actual encryption, as data release alone triggers $millions in regulatory fines and lawsuits.