Skip to content
Apt73 Ransomware
Under attack by ransomware or suffering a cyber breach?
Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the Apt73 ransomware group or another threat actor - contact us immediately.
About Apt73 ransomware group
Emerging in April 2024 and based in the Czech Republic, Apt73 / Bashe is a sophisticated advanced persistent threat that poses a significant business risk due to its highly developed tactics and connections to prominent threat actors.
Operating as a new ransomware group, Apt73 / Bashe is known for infiltrating networks, exfiltrating sensitive data, and then encrypting critical systems. Victims typically encounter a screen notification like the one shown here, indicating that a specialist threat actor has compromised their systems and is holding both infrastructure and stolen data hostage. A ransom, usually demanded in cryptocurrency such as Bitcoin, is required to obtain the decryption keys and prevent the information from being leaked.
Apt73 / Bashe uses this leverage to pressure victims, often causing significant operational disruption across targeted organisations. Their attacks have impacted a variety of sectors, including financial institutions, where the consequences of downtime and data exposure can be especially severe.
What we can help with:
- Encrypted files & ransomware data recovery
- Incident response and containment
- Secure data restoration and system recovery
- Use of ransomware decryption tools and data recovery software
- Development of incident response plans and disaster recovery solutions
- Post-incident reviews and security hardening
Request a call back
If your organisation has been infected with ransomware contact us immediately.
How Apt73 operators work
In April 2024, Apt73 / Bashe launched a data leak site and began self-identifying as an Advanced Persistent Threat (APT), a label typically reserved for highly sophisticated and well-resourced threat actors. This self-classification appears intended to project credibility and establish their position as a formidable player within the ecosystem of financially motivated cybercrime.
Their data leak site (DLS) closely mirrors the structure and presentation of LockBit’s, likely as a deliberate strategy to capitalise on LockBit’s established reputation and attract potential affiliates. This imitation suggests an effort to convey operational equivalence with LockBit and foster trust among lower-tier cybercriminals. Apt73 is believed to have been founded by a former LockBit affiliate following the FBI’s disruption of LockBit operations in February 2024.
Apt73 has launched ransomware attacks against organisations across multiple regions, including North America, the UK, France, Germany, India, and Australia. Their targets span a range of high-value sectors such as technology, business services, manufacturing, consumer services, financial services, transportation, logistics, healthcare, and construction. By focusing on industries that manage sensitive or critical data, Apt73 aims to maximise the pressure on victims, increasing the likelihood of ransom payments.
We are equipped to deal with an attack from any ransomware group.
Don’t hesitate to contact us if you are under attack from a ransomware group not listed above.
Recognising an Apt73 attack
The group employs double extortion tactics, both encrypting victims’ files with ransomware payloads and threatening to publish stolen data unless a ransom is paid. To increase pressure, they operate a data leak site where victim information is exposed, leveraging the risk of reputational damage and business disruption. Apt73 typically seeks to gain initial access through phishing campaigns, credential theft, or exploitation of known vulnerabilities, methods common among modern ransomware threats.
Why you must not interfere with your ransomware environment
If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.
A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.
This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.
| description | Sector | Date Discovered | Attack Date | Country | Screenshot |
|---|---|---|---|---|---|
| DATABASE OF NATIONAL INDONESIAN ARMY | NAMA NRP PANGKAT KORPS GRADE SATUAN JABATAN TGL LAH... | Public Sector | 25/02/2025 04:14 PM | 25/02/2025 04:13 PM | ID | View' rel='' target='_self'>View |
| AutoGedal, the destination of confidence for passengers of travel, nature and adventure . With a ... | Not Found | 18/02/2025 05:48 PM | 07/02/2025 12:23 PM | RO | View' rel='' target='_self'>View |
| Industrial Machinery & Equipment | internal files, docs, employees' info, clients' info | Energy | 05/02/2025 03:32 PM | 05/02/2025 03:31 PM | FR | View' rel='' target='_self'>View |
| Mistral Solutions is a certified technology design and systems engineering company (Embedded Syst... | Technology | 04/02/2025 02:56 PM | 04/02/2025 02:56 PM | IN | View' rel='' target='_self'>View |
| Name / Mobile No / Address / Pin Code / City / Submodel / Model / Assettype / Misstatus / Tenor ... | Consumer Services | 04/02/2025 02:54 PM | 04/02/2025 02:54 PM | IN | View' rel='' target='_self'>View |
| ID,Name,Email,Group,Phone,ZIP,Country,State/Province,"Customer Since","Web Site","Confirmed email... | Technology | 03/02/2025 11:18 AM | 03/02/2025 11:18 AM | MX | View' rel='' target='_self'>View |
| Accounting Services · Canada | clients' data. 5 GB | Financial Services | 03/02/2025 09:59 AM | 17/01/2025 09:59 AM | CA | View' rel='' target='_self'>View |
| With OmeTV video chat you can strike up a conversation with strangers, meet interesting people, a... | Technology | 30/01/2025 12:55 PM | 30/01/2025 12:55 PM | TR | View' rel='' target='_self'>View |
| Banking · India | Financial Services | 21/01/2025 04:26 PM | 21/01/2025 04:26 PM | IN | View' rel='' target='_self'>View |
| Airlines, Airports & Air Services · Bangladesh | "Passenger Id", "Name", "Reservation", "Date Of... | Transportation/Logistics | 20/01/2025 05:41 PM | 20/01/2025 05:41 PM | MY | View' rel='' target='_self'>View |
| The Federation of Secular Works of the Creuse brings together each year between 230 and 250 assoc... | Not Found | 17/01/2025 04:19 PM | 17/01/2025 04:19 PM | FR | View' rel='' target='_self'>View |
| Pick n Pay Group Ltd. is a South African retailer. It operates three brands – Pick n Pay, Boxer... | Business Services | 09/01/2025 04:38 PM | 09/01/2025 04:38 PM | ZA | View' rel='' target='_self'>View |
| Sharing a little part with you. Indian bank. Full amount - 637895 lines CUSTOMERNAME CUST_ID_N FNAME DOB PAN_NO MNAME LNAME AGE SEX FATHERNAME SPOU... | Financial | 24/12/2024 12:09 PM | 24/12/2024 12:09 PM | IN | View' rel='' target='_self'>View |
| Our mission - Provide telecommunications solutions with quality and humane service, connecting people and growing businesses. | Business Services | 23/12/2024 05:41 PM | 23/12/2024 05:41 PM | BR | View' rel='' target='_self'>View |
| Indonesia Digital Banking personal info | Financial | 23/12/2024 05:38 PM | 23/12/2024 05:38 PM | ID | View' rel='' target='_self'>View |
| Indian bank. 637895 lines CUSTOMERNAME CUST_ID_N FNAME DOB PAN_NO MNAME LNAME AGE SEX FATHERNAME SPOUSENAME DRIVINGLICENSENO PASSPORT... | Financial | 20/12/2024 04:09 AM | 20/12/2024 04:09 AM | IN | View' rel='' target='_self'>View |
| Bank Rakyat Indonesia (BRI) is one of the largest commercial banks in Indonesia that always prioritizes customer satisfaction. Personal data, clien... | Financial | 18/12/2024 11:57 AM | 18/12/2024 11:57 AM | ID | View' rel='' target='_self'>View |
| We are a technology company based in Europe and the Caribbean. We are dedicated to data creation through hotspots. We create the different hotspots... | Technology | 16/12/2024 05:15 PM | 16/12/2024 05:15 PM | ES | View' rel='' target='_self'>View |
| Minerals & Mining. financial docs, internal docs, personal docs. | Not Found | 11/12/2024 04:38 PM | 11/12/2024 04:38 PM | BO | View' rel='' target='_self'>View |
| Advertising & Marketing / clients' data / id index score source closed_at company: id name uuid contact id name phone uuid created_at ... | Technology | 10/12/2024 04:12 PM | 10/12/2024 04:12 PM | US | View' rel='' target='_self'>View |
| The Best Purchase Club is a cashback platform that was born as a product of Telepequisa, a potiquis company with almost 30 years of experience in t... | Business Services | 09/12/2024 04:50 PM | 09/12/2024 04:50 PM | BR | View' rel='' target='_self'>View |
| Pharmaceutical company. personal data - 302 lines | Healthcare | 09/12/2024 03:08 PM | 09/12/2024 03:08 PM | US | View' rel='' target='_self'>View |
| The BANKILY product is a mobile banking product from Banque Populaire de Mauritanie. Employee names and data, including the admin’s username, cu... | Financial | 09/12/2024 03:05 PM | 09/12/2024 03:05 PM | MR | View' rel='' target='_self'>View |
| Azape began its journey in 2018 by developing customized projects for various market segments, with its focus on developing solutions for intermedi... | Financial | 05/12/2024 06:16 PM | 05/12/2024 06:16 PM | AZ | View' rel='' target='_self'>View |
| Polish bank. Financial docs, internal docs. 0,06 GB of data. | Financial | 05/12/2024 11:48 AM | 05/12/2024 11:48 AM | PL | View' rel='' target='_self'>View |
| Certified Information Security is a registered trade name for Certified Tech Trainers (CTT) (D-U-N-S# 010573009) (CAGE code: 3FKS0), a corporation ... | Technology | 04/12/2024 12:45 PM | 04/12/2024 12:45 PM | US | View' rel='' target='_self'>View |
| Today, SIAPE processes the remuneration of civil servants, regulated both by the uniform federal legal regime (Law 8,112/90) and by the CLT and oth... | Government | 03/12/2024 06:15 PM | 03/12/2024 06:15 PM | BR | View' rel='' target='_self'>View |
| Italian stadium. Total machines accesses, main stations, footballers' personal data, UEFA personal contact data, big screens control machines. 1 ... | Hospitality and Tourism | 30/11/2024 11:57 AM | 30/11/2024 11:57 AM | IT | View' rel='' target='_self'>View |
| Pollen situation informational site. Personal info + Pass. 22140 lines | Healthcare | 27/11/2024 08:41 PM | 27/11/2024 08:41 PM | AT | View' rel='' target='_self'>View |
| mentoring programs for managers. Internal and personal docs. 0.3 GB | Business Services | 26/11/2024 06:04 PM | 26/11/2024 06:04 PM | BR | View' rel='' target='_self'>View |
| Romanian software development company. Export CRM | Technology | 25/11/2024 04:35 PM | 25/11/2024 04:35 PM | RO | View' rel='' target='_self'>View |
| Protecta Security provides insurance, microfinance and financial services. Internal docs, financial docs, personal info, customers' personal info. ... | Business Services | 23/11/2024 04:52 PM | 18/11/2024 04:52 PM | PE | View' rel='' target='_self'>View |
| RAO d.o.o. is a member of the Best in Parking AG group, Austria. With more than a quarter of a century of dedication and professional work, it is a... | Technology | 23/11/2024 04:49 PM | 20/11/2024 04:49 PM | AT | View' rel='' target='_self'>View |
| SFR is a French telecommunications company. It is both the second oldest mobile network operator and the second largest telecommunications company ... | Business Services | 23/11/2024 04:46 PM | 12/07/2024 12:00 AM | FR | View' rel='' target='_self'>View |
| Gureko GURECO Sp. z o.o. is a private company. We began our activity on 10 March 2008 based on an entry in the Register of Economic Activities of t... | Manufacturing | 23/11/2024 04:43 PM | 23/11/2024 04:43 PM | PL | View' rel='' target='_self'>View |
| GOVERNMENT OF PUNJAB Backup CRM, 0.2 GB | Government | 23/11/2024 04:40 PM | 23/11/2024 04:40 PM | IN | View' rel='' target='_self'>View |
| Nanolive’s label-free live cell imaging and analysis platforms, consumables and services are built on technology that is 100% non-invasive, thus ... | Healthcare | 13/11/2024 11:40 AM | 13/11/2024 11:40 AM | CH | View' rel='' target='_self'>View |
| We are the Emefarma Group! A leading pharmaceutical distribution company that grew with the purpose of bringing health and well-being to people's l... | Agriculture and Food Production | 09/11/2024 12:10 PM | 09/11/2024 12:10 PM | BR | View' rel='' target='_self'>View |
| LIFTKITS4LESS.COM is the largest online seller of suspension lift kit systems. clients' data: ID,Name,Email,Group,Phone,ZIP,Country,State/Province... | Business Services | 08/11/2024 04:18 PM | 08/11/2024 04:18 PM | US | View' rel='' target='_self'>View |
| Lemon product store. | Agriculture and Food Production | 08/11/2024 04:15 PM | 08/11/2024 04:15 PM | FR | View' rel='' target='_self'>View |
| Since 1970, Baldinger Fahrzeugbau has stood for continuous innovation and the highest quality. We are still the leading manufacturer of light comme... | Transportation/Logistics | 08/11/2024 04:12 PM | 08/11/2024 04:12 PM | CH | View' rel='' target='_self'>View |
| Assurified revolutionizes risk management for multifamily real estate. Our AI-powered solutions and deep expertise in Total Cost of Risk (TCOR) opt... | Financial | 08/11/2024 10:08 AM | 08/11/2024 10:08 AM | NL | View' rel='' target='_self'>View |
| An online store where you will find everything you need and want for you and your family. We have over 10,000 products to complement every stage o... | Business Services | 08/11/2024 10:05 AM | 08/11/2024 10:05 AM | UY | View' rel='' target='_self'>View |
| Trinite Solutions was established in 2003. Its mission is to develop, market and implement business software solutions for all sizes of enterprise.... | Technology | 29/10/2024 03:49 PM | 29/10/2024 03:49 PM | NL | View' rel='' target='_self'>View |
| We offer support services for all our developed solutions and tools with an emphasize on direct access to our experts and quick turn around times f... | Technology | 29/10/2024 03:46 PM | 29/10/2024 03:46 PM | DE | View' rel='' target='_self'>View |
| PT. Sokka Kreatif Teknologi was established in 2017, and is a subsidiary of PT. Persada Inti Utama whose main businesses include telecommunications... | Business Services | 29/10/2024 03:43 PM | 29/10/2024 03:43 PM | ID | View' rel='' target='_self'>View |
| Management software for culture, businesses, religion and bishoprics. 10 GBs crm systems / export files and backups / personal data | Business Services | 29/10/2024 03:40 PM | 08/10/2024 12:00 AM | FR | View' rel='' target='_self'>View |
| P/Kaufmann Fabrics is the premier home furnishings textile converter, having supplied our customers with expertly-crafted designs for over sixty fi... | Manufacturing | 24/10/2024 03:32 PM | 24/10/2024 09:00 AM | US | View' rel='' target='_self'>View |
| For over 50 years, Modplan has been manufacturing and supplying leading-edge products to our installing partners for the fenestration market. Funda... | Manufacturing | 24/10/2024 03:31 PM | 24/10/2024 09:00 AM | GB | View' rel='' target='_self'>View |
| CDS, a Hewlett Packard Enterprise company CDS is a wholly owned subsidiary of Hewlett Packard Enterprise and although an integral part of delivery... | Technology | 24/10/2024 03:30 PM | 24/10/2024 09:00 AM | US | View' rel='' target='_self'>View |
| Thompson Creek® Window Company is the Mid-Atlantic region’s premier home improvement replacement products company. We have been customizing and ... | Manufacturing | 24/10/2024 02:03 PM | 23/10/2024 09:00 AM | CA | View' rel='' target='_self'>View |
| Northern Safety Co., Inc. operates as a personal safety equipment distributor company. The Company offers disposable respirators, earplugs, first a... | Manufacturing | 24/10/2024 02:02 PM | 23/10/2024 09:00 AM | US | View' rel='' target='_self'>View |
| MGF Sourcing is an independent US-led global sourcing company founded in 1970. We focus on US-based specialty apparel retailers and, with our stron... | Business Services | 24/10/2024 02:01 PM | 23/10/2024 09:00 AM | US | View' rel='' target='_self'>View |
| Registered user base of the appen.com platform (AI training company). 5 887 922 lines email addresses, employers, IP addresses, names, passwords,... | Technology | 24/10/2024 02:00 PM | 17/10/2024 09:00 AM | AU | View' rel='' target='_self'>View |
| Indian Movie Streaming Service Data email addresses, passwords, usernames 645 000 lines | Not Found | 24/10/2024 01:57 PM | 17/10/2024 09:00 AM | IN | View' rel='' target='_self'>View |
| Databases of users of the E-Commerce platform "Drizly" (a platform for the sale of alcoholic beverages). 2 479 145 lines. dates of birth, device in... | Business Services | 24/10/2024 01:54 PM | 17/10/2024 09:00 AM | US | - |
| Robinhood Broker Clients' Data. 7 732 244 lines of emails | Financial | 24/10/2024 01:51 PM | 17/10/2024 09:00 AM | US | View' rel='' target='_self'>View |
| The Beauty Click was founded in April 2018 by Chantelle Bass. A website that has a platform for both the beauty and hair specialists themselves a... | Business Services | 24/10/2024 01:48 PM | 21/10/2024 10:00 AM | GB | View' rel='' target='_self'>View |
| Transense Surface Acoustic Wave or SAW sensor technology is proven to deliver accurate, real-time measurement of torque, temperature, force and pre... | Transportation/Logistics | 24/10/2024 01:45 PM | 21/10/2024 10:00 AM | GB | View' rel='' target='_self'>View |
| Talon Solutions Ltd was formed by Vince Cluderay in 2002 for the purpose of selling document management and database solutions into the UK construc... | Technology | 24/10/2024 01:42 PM | 21/10/2024 10:00 AM | GB | View' rel='' target='_self'>View |
| Sandro Forte is a personal growth and development speaker, and one of the most respected and successful entrepreneurs in his profession, motivating... | Financial | 24/10/2024 12:24 PM | 21/10/2024 10:00 AM | GB | View' rel='' target='_self'>View |
| Language therapist Personal info + documents 2 GB | Not Found | 24/10/2024 12:23 PM | 21/10/2024 10:00 AM | US | View' rel='' target='_self'>View |
| Nanolive’s label-free live cell imaging and analysis platforms, consumables and services are built on technology that is 100% non-invasive, thus ... | Healthcare | 24/10/2024 12:22 PM | 21/10/2024 10:00 AM | CH | View' rel='' target='_self'>View |
| Ryland Peters & Small and CICO Books is an independent, illustrated publisher creating beautifully produced books in the areas of interior design, ... | Business Services | 22/08/2024 03:06 PM | 22/08/2024 03:06 PM | GB | View' rel='' target='_self'>View |
| We’re specialists in the diagnosis and treatment of hearing conditions, but just as important is our understanding that hearing loss can make peo... | Healthcare | 21/08/2024 03:18 PM | 21/08/2024 03:18 PM | GB | View' rel='' target='_self'>View |
| Globacap is an innovative private markets ecosystem that allows you to compress manual workflow processes, streamlining the execution of transactio... | Financial | 21/08/2024 10:09 AM | 21/08/2024 10:09 AM | GB | View' rel='' target='_self'>View |
| Gannons Commercial Law Limited Catherine Gannon, then a tax solicitor at a large US law firm, looks out from their ivory tower and spots a gap in ... | Business Services | 14/06/2024 04:27 PM | 14/06/2024 04:27 PM | GB | View' rel='' target='_self'>View |
| Borrer Executive Search is an AESC accredited boutique search and selection firm based in Lausanne, Switzerland. internal documents, agreements ... | Business Services | 13/06/2024 05:37 PM | 13/06/2024 05:37 PM | CH | View' rel='' target='_self'>View |
| Our foodservice roots trace all the way back to a butchers shop in Dublin city centre in 1966. Kepak Foodservice specialise in creating innovative,... | Business Services | 13/06/2024 05:36 PM | 13/06/2024 05:36 PM | GB | View' rel='' target='_self'>View |
| Apex Engineering Service has established itself as a leading supplier of technical services to the construction industry worldwide. Passwords, int... | Business Services | 12/06/2024 06:43 AM | 12/06/2024 06:43 AM | GB | View' rel='' target='_self'>View |
| Private limited Company 272KB | Financial | 12/06/2024 06:41 AM | 12/06/2024 06:41 AM | HK | View' rel='' target='_self'>View |
| Your trusted partner for personalized, timely, and reliable medical support services worldwide. https://x.com/AMIGlobalAssist Personal data, pas... | Healthcare | 12/06/2024 06:40 AM | 12/06/2024 06:40 AM | GB | View' rel='' target='_self'>View |
| Brightway Consultants Ltd is a chartered surveying firm based in London. They offer comprehensive surveying services tailored to clients' individua... | Business Services | 23/05/2024 07:36 PM | 23/05/2024 07:36 PM | GB | View' rel='' target='_self'>View |
| The Canadian company has been developing high-quality and reliable software for corporate needs since 2015. They are renowned professionals of soft... | Technology | 08/05/2024 09:24 AM | 08/05/2024 09:24 AM | CA | View' rel='' target='_self'>View |
| Large software development company Service Power. Great Britain. Documents of internal systems, credits to internal resources. 328 MB | Technology | 02/05/2024 03:06 PM | 02/05/2024 03:06 PM | GB | View' rel='' target='_self'>View |
| Czech company Credio. IT consulting, electronic document management. Credits to internal systems. 11 MB | Financial | 02/05/2024 03:05 PM | 02/05/2024 03:05 PM | CZ | View' rel='' target='_self'>View |
| German company melting-mind.de. IT systems company operating throughout Europe and offering a wide range of services in all areas of information te... | Technology | 29/04/2024 06:08 AM | 03/05/2024 12:00 AM | DE | - |
| Information: Trifecta is a trusted advisor for some of the most widely recognized and successful companies in the world. Brands choose Trifecta bas... | Business Services | 22/04/2024 09:57 PM | 05/04/2024 07:37 AM | US | View' rel='' target='_self'>View |
Known threat actors
Ransomware groups behind the attacks
Below is a breakdown of the most active ransomware groups and the variants driving their attacks.
Post breach actions
-
Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
-
Report the incident to Report Fraud
-
Locate your business continuity plan Work out what you can do without access to your systems and data.
-
Identify your business insurance contact details
Who are we and what experience do we have in responding to cyber incidents?
We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).
We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.
With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.
As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.
Your NCSC-approved supplier is a specialist crime scene investigator who will:
- Isolate and preserve your environment for forensic investigation.
- Identify where the data has been duplicated and issue a legal takedown order.
- Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
- Liaise with your business insurance company and if needed, with the Police.
- Advise you on notifying your customers of your situation.
- Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.
Working with us
Our response process
Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.
Step 1: Triage
We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.
Step 2: Investigation
DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.
Step 3: Contain
Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.
Step 4: Remediate & Eradicate
Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.
Step 5: Recover
Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.
Step 6: Post Incident
We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.
Forensic analysis to drive recovery
Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:
Informing an initial infection date
The extent and spread of infection
Data exfiltration having an impact on regulatory positions
Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated
It is critical that the analysis of digital evidence is carried out to an agreed plan.
Maximising early root cause discovery and legal leverage
The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.
Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.
Key take aways
- You will not be able to access your systems or data.
- It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
- Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
- Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
- Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
- Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
- If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
- You will need to submit a data takedown request to the initial location where the data was transferred.
- Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
- Avoid rebuilding from the latest backup, as it is likely to be infected.
Why should I trust Zensec to do this work rather than my IT team?
A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:
Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves.
IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.
Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.
We can help
Frequently asked questions
Key information when you’re under pressure.
Yes. Apt73 / Bashe is a ransomware group involved in ransomware operations that encrypt victims’ data and demand a ransom in exchange for the decryption key. The group runs a well-known extortion site where stolen data is sold and leaked, a tactic common among established groups in the cybercrime ecosystem.
The Apt73 / Bashe ransomware typically gains entry into your system through several common methods, including:
Phishing emails
Malicious links
Exploited vulnerabilities
Remote Desktop Protocol (RDP) attacks
These infection vectors are often used in their broader ransomware campaigns targeting organisations.
To protect your organisation and minimise the risk of future infections, we recommend adopting a comprehensive approach to cybersecurity that includes:
Employee training to raise awareness about phishing and other social engineering attacks
Implementing multi-factor authentication to strengthen access controls
Using strong, unique passwords across all systems
Removing unused or old user accounts promptly
Performing regular backups of critical systems and data
Deploying timely updates and patches to all software and hardware
Additionally, since Apt73 / Bashe’s activities can disrupt your business processes and result in leaked data, it’s essential to update your business continuity and incident response plans to incorporate lessons learnt during the attack and recovery phases.
A ransomware attack presents the most significant threat to your business by:
- Disabling your access to systems, which could hinder machinery operation or impede progress through your business processes.
- Blocking access to critical data concerning suppliers, shipments, customers, orders, or steps in your business workflow.
In the event of a business interruption, identifying your position in the supply chain and sustaining operations can be challenging. If the disruption continues, maintaining business continuity becomes critical. Once systems and data are restored, addressing backlogs and establishing future operational protocols are essential.
Ransomware ranks only behind receivership in terms of its capacity to incapacitate a business.
The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.
As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.
Report Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Report Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.
https://www.reportfraud.police.uk/https://www.actionfraud.police.uk/
Facing genuine pressure, there's a crucial decision to make - one that could rescue your organisation from weeks of operational standstill, reputation damage, and client data loss. Yet, the probability of a favourable outcome remains slim, emphasising the importance of engaging a specialised ransomware incident response team. They are your most viable recourse for navigating a ransomware incident.
The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home
Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing.
Almost certainly, yes. If any of the compromised data qualifies as "personal data" relating to your customers, you have a legal obligation to inform them, particularly if there is a risk of public exposure. The loss or unauthorised access of such data may also require notification to the Information Commissioner's Office (ICO): https://ico.org.uk/.
Organisations targeted by ransomware groups like Apt73 / Bashe are often selected for financial gain, and attacks frequently impact core systems, undermining operational continuity. If your business operates within industrial sectors where sensitive data and supply chain integrity are critical, disclosure becomes even more important to maintain trust and comply with regulatory requirements.
Dealing with a ransomware attack?
Our ransomware recovery service can help
Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.