Ransomware
5
mins read

Unmasking Media-Hungry Ransomware Groups: Bashe (APT73)

Emerging in April 2024, Bashe (APT73) is a ransomware group that thrives on deception rather than genuine cyber prowess. Unlike traditional ransomware operators, Bashe fabricates attacks by falsely claiming responsibility for high-profile breaches, aiming to attract affiliates and bolster its credibility. Targeting mid-sized businesses across Financial Services, IT, and Banking sectors, the group's tactics involve repurposing old leaks and curating data from public breaches to mislead victims and the media. This report exposes how Bashe manipulates narratives, the potential damage caused by its fraudulent claims, and why businesses must employ advanced threat intelligence to differentiate real threats from cyber theatrics. Stay ahead of cyber deception—learn how to protect your organization from Bashe’s misleading tactics.

Ayush Juneja
January 29, 2025
Green Alert
Last Update posted on
January 29, 2025
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

APT73/BASHE, a newly emerged ransomware group active since April 2024, mimics established groups like LockBit. Targeting mid-sized organizations with annual revenues of $10M–$500M, their victims span the Financial Services, IT, Banking, and Manufacturing sectors. They focus on exfiltrating sensitive data to create a facade of legitimacy for their claims, prioritizing targets in North America, Europe and Asia. Despite signs of inexperience, their adaptive strategies suggest potential for rapid growth.

Bashe ransomware group thrives on false claims and fabricated victories, operating as little more than opportunistic fraudsters in the world of cybercrime. Their strategy of taking credit for attacks they didn’t commit is nothing but a desperate attempt to inflate their relevance to attract legitimate ransomware affiliates. Instead of showcasing genuine technical prowess, Bashe relies on deception, smoke screens, and manipulates their samples by masking PII, making it more challenging to validate their claims. Beneath the facade, their lack of authenticity makes them a prime example of cybercriminal incompetence and overblown theatrics.
Bashe ransomware group falsely claims responsibility for attacks to gain reputation and invite credible threat actors to their affiliate program. This tactic helps them project an image of strength and influence, enticing other cybercriminals to collaborate with them. 

We believe that affiliates have either already joined them or will likely join in the near future, driven by the media hype these individuals are generating.

Analysis of the Events:

Below are some of the recent targets along with the timelines of their posting dates on the DLS:

Target Timeline
Malindoair 20/01/2025
Betclic 15/01/2025
Federal Bank India 24/12/2024
Line Bank 23/12/2024
Bank Rakyat Indonesia 18/12/2024

Timeline:

1. January 20, 2025: Bashe ransomware group announced on their data leak site, that they have compromised Malindo Air, Bangladesh, listing passenger PII.

Screenshot of the events captured by Xvigil 

Screenshot of the post posted on the ransomware DLS

Upon further analysis and by examining the masked sample listed on the ransomware DLS website, it was determined that this is a repost of the Malindo Air data leak that originally occurred in March 2019.

Screenshot from BreachForums showcasing the original leak date

To confirm that the post made by Bashe is merely a repost of old data, we randomly selected names from the sample provided by Bashe and cross-checked them against compromises. All the randomly selected names were found to be part of the same Malindo Air data leak that occurred in 2019.

2. January 15, 2025: Bashe announced another leak on their data leak site targeting an online gambling organization Betclic, again listing Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the data they presented was curated from a combolist hosted on different hacking forums.

The masking of the samples made it challenging to validate the authenticity of this post. However, by randomly selecting names from the sample and analyzing them across various data sources, we noticed one common factor: all the names were present in the same combolist from one of these platforms. 

This finding leads us to conclude that this post is yet another fake post where the actor has simply curated data from an existing combolist.

3. December 24, 2024: Bashe announced another leak on their data leak site targeting Federal Bank India giving Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the sample they presented is identical to the sample posted on Breachforum in May 2023.

Screenshot of the Breachforum post

4. December 23, 2024: Bashe announced another leak on their data leak site targeting an Indonesian Bank - Linebank, again listing Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the data they presented is completely irrelevant to Indonesia Bank due to the mentions of Indian Banks IFSC code.

Screenshot of the Breachforum post from which Bashe took the data

Screenshot of the IFSC codes belonging to Indian Bank

5. December 18, 2024: Bashe announced another leak on their data leak site again targeting an Indonesian Bank - Bank Rakyat Indonesia(BRI) , again listing Customer PII. 

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the sample they presented is identical to one of the documents that is publicly available on a sharing platform.

Screenshot of the file sharing platform from which Bashe took the data

Impact

  • Erosion of Credibility: Organizations targeted by false claims may face reputational damage as stakeholders and customers lose trust, even if the claims are untrue.
  • Resource Drain: Time and resources are wasted investigating and addressing fraudulent claims rather than focusing on real threats.
  • Increased Panic: Media hype around baseless claims can create unnecessary panic, further amplifying the reach and perceived influence of ransomware groups like Bashe.
  • Opportunity for Threat Actors: The false claims generate visibility for Bashe, potentially attracting affiliates and enabling them to expand their operations.

Recommendations:

  • Implement robust threat intelligence systems to continuously monitor and validate claims made by ransomware groups, identifying reposted or curated data.
  • Educate organizations on verifying the authenticity of leaked data before responding to ransomware demands to avoid unnecessary panic or financial loss.
  • Enhance collaboration with cybersecurity platforms like Xvigil to promptly detect, analyze, and report on fraudulent ransomware claims.
  • Strengthen internal and external communication strategies to prevent media hype from legitimizing baseless claims by threat actors.

Ransomware group profile : Bashe 

Alias: eraleign, APT73 (self proclaimed APT)

Activity Level: Highly active

Primary Motivation: Financial gain, Gaining credibility

Top Targeted Countries:

  1. United Kingdom
  2. Indonesia
  3. United States
  4. Canada
  5. Germany
  6. Switzerland
  7. France
  8. India
  9. Brazil

Targeted Industries:

Bashe demonstrates a broad targeting scope across various industries, including:

  • Financial Services 
  • IT 
  • Banking
  • Manufacturing Sectors

References

Author

Ayush Juneja

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Ransomware

5

min read

Unmasking Media-Hungry Ransomware Groups: Bashe (APT73)

Emerging in April 2024, Bashe (APT73) is a ransomware group that thrives on deception rather than genuine cyber prowess. Unlike traditional ransomware operators, Bashe fabricates attacks by falsely claiming responsibility for high-profile breaches, aiming to attract affiliates and bolster its credibility. Targeting mid-sized businesses across Financial Services, IT, and Banking sectors, the group's tactics involve repurposing old leaks and curating data from public breaches to mislead victims and the media. This report exposes how Bashe manipulates narratives, the potential damage caused by its fraudulent claims, and why businesses must employ advanced threat intelligence to differentiate real threats from cyber theatrics. Stay ahead of cyber deception—learn how to protect your organization from Bashe’s misleading tactics.

Authors
Ayush Juneja
Co-Authors
No items found.

Executive Summary

APT73/BASHE, a newly emerged ransomware group active since April 2024, mimics established groups like LockBit. Targeting mid-sized organizations with annual revenues of $10M–$500M, their victims span the Financial Services, IT, Banking, and Manufacturing sectors. They focus on exfiltrating sensitive data to create a facade of legitimacy for their claims, prioritizing targets in North America, Europe and Asia. Despite signs of inexperience, their adaptive strategies suggest potential for rapid growth.

Bashe ransomware group thrives on false claims and fabricated victories, operating as little more than opportunistic fraudsters in the world of cybercrime. Their strategy of taking credit for attacks they didn’t commit is nothing but a desperate attempt to inflate their relevance to attract legitimate ransomware affiliates. Instead of showcasing genuine technical prowess, Bashe relies on deception, smoke screens, and manipulates their samples by masking PII, making it more challenging to validate their claims. Beneath the facade, their lack of authenticity makes them a prime example of cybercriminal incompetence and overblown theatrics.
Bashe ransomware group falsely claims responsibility for attacks to gain reputation and invite credible threat actors to their affiliate program. This tactic helps them project an image of strength and influence, enticing other cybercriminals to collaborate with them. 

We believe that affiliates have either already joined them or will likely join in the near future, driven by the media hype these individuals are generating.

Analysis of the Events:

Below are some of the recent targets along with the timelines of their posting dates on the DLS:

Target Timeline
Malindoair 20/01/2025
Betclic 15/01/2025
Federal Bank India 24/12/2024
Line Bank 23/12/2024
Bank Rakyat Indonesia 18/12/2024

Timeline:

1. January 20, 2025: Bashe ransomware group announced on their data leak site, that they have compromised Malindo Air, Bangladesh, listing passenger PII.

Screenshot of the events captured by Xvigil 

Screenshot of the post posted on the ransomware DLS

Upon further analysis and by examining the masked sample listed on the ransomware DLS website, it was determined that this is a repost of the Malindo Air data leak that originally occurred in March 2019.

Screenshot from BreachForums showcasing the original leak date

To confirm that the post made by Bashe is merely a repost of old data, we randomly selected names from the sample provided by Bashe and cross-checked them against compromises. All the randomly selected names were found to be part of the same Malindo Air data leak that occurred in 2019.

2. January 15, 2025: Bashe announced another leak on their data leak site targeting an online gambling organization Betclic, again listing Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the data they presented was curated from a combolist hosted on different hacking forums.

The masking of the samples made it challenging to validate the authenticity of this post. However, by randomly selecting names from the sample and analyzing them across various data sources, we noticed one common factor: all the names were present in the same combolist from one of these platforms. 

This finding leads us to conclude that this post is yet another fake post where the actor has simply curated data from an existing combolist.

3. December 24, 2024: Bashe announced another leak on their data leak site targeting Federal Bank India giving Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the sample they presented is identical to the sample posted on Breachforum in May 2023.

Screenshot of the Breachforum post

4. December 23, 2024: Bashe announced another leak on their data leak site targeting an Indonesian Bank - Linebank, again listing Customer PII.

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the data they presented is completely irrelevant to Indonesia Bank due to the mentions of Indian Banks IFSC code.

Screenshot of the Breachforum post from which Bashe took the data

Screenshot of the IFSC codes belonging to Indian Bank

5. December 18, 2024: Bashe announced another leak on their data leak site again targeting an Indonesian Bank - Bank Rakyat Indonesia(BRI) , again listing Customer PII. 

Screenshot of the events captured by Xvigil

Screenshot of the post from the Ransomware DLS

Upon analyzing this post and the samples, it was discovered that the sample they presented is identical to one of the documents that is publicly available on a sharing platform.

Screenshot of the file sharing platform from which Bashe took the data

Impact

  • Erosion of Credibility: Organizations targeted by false claims may face reputational damage as stakeholders and customers lose trust, even if the claims are untrue.
  • Resource Drain: Time and resources are wasted investigating and addressing fraudulent claims rather than focusing on real threats.
  • Increased Panic: Media hype around baseless claims can create unnecessary panic, further amplifying the reach and perceived influence of ransomware groups like Bashe.
  • Opportunity for Threat Actors: The false claims generate visibility for Bashe, potentially attracting affiliates and enabling them to expand their operations.

Recommendations:

  • Implement robust threat intelligence systems to continuously monitor and validate claims made by ransomware groups, identifying reposted or curated data.
  • Educate organizations on verifying the authenticity of leaked data before responding to ransomware demands to avoid unnecessary panic or financial loss.
  • Enhance collaboration with cybersecurity platforms like Xvigil to promptly detect, analyze, and report on fraudulent ransomware claims.
  • Strengthen internal and external communication strategies to prevent media hype from legitimizing baseless claims by threat actors.

Ransomware group profile : Bashe 

Alias: eraleign, APT73 (self proclaimed APT)

Activity Level: Highly active

Primary Motivation: Financial gain, Gaining credibility

Top Targeted Countries:

  1. United Kingdom
  2. Indonesia
  3. United States
  4. Canada
  5. Germany
  6. Switzerland
  7. France
  8. India
  9. Brazil

Targeted Industries:

Bashe demonstrates a broad targeting scope across various industries, including:

  • Financial Services 
  • IT 
  • Banking
  • Manufacturing Sectors

References