Threat Intelligence Tarot
Vol. II · 98
Criminal (Russian-speaking, Conti splinter group)
risk 4/5
The Black Choir
Black Basta
UNC4393
HealthcareManufacturingConstructionFinanceTechnologyCritical infrastructure
Active since April 2022 · Financial extortion, Ransomware-as-a-Service
The Black Choir moves in perfect institutional silence, each member playing a prescribed role in an orchestra of extortion. From Conti's ashes it rose, inheriting both the playbook and the ruthlessness to use it on hospitals.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1486
Data Encrypted for Impact
Impact
T1021.001
Remote Desktop Protocol
Lateral Movement
T1078
Valid Accounts
Defense Evasion
T1490
Inhibit System Recovery
Impact
T1485
Data Destruction
Impact
T1059.003
Windows Command Shell
Execution
Notable Operations
  • Ascension Health attack (2024, 140 hospitals disrupted nationwide)
  • 500+ organizations breached across 2 years of operation
  • ABB industrial automation breach
  • Cobalt Strike and Qakbot delivery pipeline for enterprise-scale ransomware
Defenses
Reversed: Their Weakness
Law enforcement disruption of Qakbot in 2023 severed a critical initial access vector. Organizations that block macro-enabled documents and enforce MFA on all remote access significantly delay or prevent compromise.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Sanctioned SerpentNext →The Neon Predator
Related Adversaries
The Sanctioned Serpent
Evil Corp
6 shared TTPs
The Centipede
Rhysida
5 shared TTPs
The Neon Predator
Akira
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.