Black Basta Ransomware Group Targeting Healthcare Organizations
All healthcare and public health (HPH) sector organizations have been warned to be on high alert and to implement mitigations against Black Basta ransomware attacks, as the ransomware-as-a-service (RaaS) group has the HPH sector in its crosshairs.
In 2023, Black Basta was the third-most prolific ransomware group behind LockBit and ALPHV/Blackcat, but with the latter now shut down, Black Basta has taken second spot and attacks have been increasing, especially on critical infrastructure entities. Black Basta affiliates have conducted data theft and encryption attacks in 12 of the 16 critical infrastructure sectors, and recently the group has accelerated attacks on healthcare organizations. According to multiple CNN sources, Black Basta was behind the recent ransomware attack on Ascension which disrupted clinical operations at its 140 hospitals.
Black Basta first emerged as a RaaS group in April 2022 and is thought to include members of the now-defunct Conti ransomware group. The RaaS group has been linked to the FIN7 threat actor. The group engages in double extortion tactics, where sensitive data is exfiltrated before files are encrypted, and a ransom payment is required to prevent the publication of the data on the group’s data leak site as well as for the keys to decrypt files and specializes in high-impact attacks that cause significant disruption. The group claims on its data leak site, accessible on Tor, that it has extorted more than $100 million from victims and is known to have conducted over 500 ransomware attacks worldwide.
According to the Health Information Sharing and Analysis Center (Health-ISAC), the group has attacked at least two healthcare organizations in the past month, one in Europe and one in the United States, both of which caused massive operational disruptions. On the same day that HEALTH-ISAC issued its bulletin about the group, a joint cybersecurity advisory was issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC). The joint cybersecurity alert, published as part of CISA’s Stop Ransomware effort, shares details of the latest tactics, techniques, and procedures (TTPs) used by the group and recent indicators of compromise (IoCs) identified by the FBI in its investigations of attacks and from third-party reporting.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Black Basta uses several approaches for initial access to victims’ networks, the most common of which is spear phishing emails sent to employees in targeted organizations. The group is also known to use QakBot malware for initial access, credentials purchased from initial access brokers, and vulnerability exploitation. Several vulnerabilities are known to have been exploited by the group including ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and since February 2024, ConnectWise (CVE-2024-1708 and SVE-2024-1709).
A variety of legitimate tools are used for remote access, reconnaissance, lateral movement, privilege escalation, file execution, and data exfiltration, including BITSAdmin, Cobalt Strike, Mimikatz, PSExec, PowerShell, RClone, SoftPerfect, ScreenConnect, Splashtop, and WinSCP. The group searches for sensitive data to exfiltrate, deletes shadow copies to hamper recovery, and terminates antivirus and endpoint detection software. After file encryption, the group demands a ransom, with victims required to make contact with the group to negotiate payment.
The alert strongly advises healthcare organizations and other critical infrastructure entities to adhere to cybersecurity best practices and mitigate against the most common attack vectors. To protect against phishing and spear phishing, advanced email security solutions should be implemented that are capable of scanning and validating URLs in emails and have anti-malware capabilities, and end-user training should be provided to raise awareness of the threat of phishing and to train the workforce how to recognize, avoid, and report phishing threats.
Phishing-resistant multi-factor authentication should be implemented to protect accounts should credentials be compromised, and modern anti-malware software should be installed on endpoints and should be configured to update signatures automatically. Remote access software should be secured, including with MFA, and all software, firmware, and operating systems should be running the latest versions, with patches applied promptly. Even with all recommended mitigations implemented, defenses may still be breached. It is therefore important to make regular backups of sensitive data – and store them securely – and also make backups of critical systems and device configurations to ensure fast repair and recovery in the event of a successful attack. Healthcare organizations should also sign up for threat intelligence services, including CISA’s KEV catalog, and should prioritize the remediation of vulnerabilities that are known to be actively exploited by threat actors.
