All healthcare and public health (HPH) sector {organizations|providers} received {an alert|a warning} to {apply|employ} mitigations against Black Basta ransomware attacks, {because|since} the ransomware-as-a-service (RaaS) group is attacking the HPH sector.
In 2023, Black Basta was the top 3 ransomware gang after LockBit and ALPHV/Blackcat. However, Black Basta is now in the second spot and is increasing attacks, particularly on critical infrastructure organizations. Black Basta affiliates are behind the data theft and encryption attacks carried out on 12 of the 16 critical infrastructure sectors. Recently, the group has expanded attacks on medical institutions. As per several CNN sources, Black Basta attacked Ascension which upset medical operations in 140 of its hospitals.
Black Basta initially appeared as a RaaS group in April 2022 and is believed to consist of members from the Conti ransomware group. The RaaS group is associated with the FIN7 threat actor. The group uses double extortion tactics by exfiltrating sensitive information before the files are encrypted, and then requiring a ransom payment to stop publishing the data on the group’s data leak website to give the keys for decrypting files. The group is an expert in high-impact attacks that cause substantial disruption to operations. The group states on its data leak website on Tor that its extortion earnings from victims are over $100 million after conducting more than 500 ransomware attacks around the world.
Based on the Health Information Sharing and Analysis Center (Health-ISAC), the Black Basta group attacked one healthcare provider in Europe and one in the United States last month. The two attacks resulted in massive disruption in operations. HEALTH-ISAC, the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory about the group. The joint cybersecurity advisory issued as part of CISA’s Stop Ransomware initiative gives information on the most recent tactics, techniques, and procedures (TTPs) employed by the group and up-to-date indicators of compromise (IoCs) discovered by the FBI from its attack investigations and third-party reports.
Black Basta employs various methods for preliminary access to victims’ systems like sending spear phishing emails to workers in targeted companies. The group is likewise seen to use credentials bought from initial access brokers, QakBot malware for preliminary access, and vulnerability exploitation. Exploited vulnerabilities by the group include NoPac (CVE-2021-42278 and CVE-2021-42287), ZeroLogon (CVE-2020-1472), and ConnectWise (CVE-2024-1708 and SVE-2024-1709).
The group uses the following tools for remote access, reconnaissance, privilege escalation, lateral movement, file execution, and data extraction: BITSAdmin, Mimikatz, Cobalt Strike, PSExec, PowerShell, SoftPerfect, Splashtop, ScreenConnect, RClone, and WinSCP. The group finds sensitive information to exfiltrate, removes shadow copies to impede recovery, and corrupts antivirus and endpoint detection software. After encrypting files, the group requires victims to pay a ransom after negotiating payment.
The advisory urges healthcare providers and other critical infrastructure entities to comply with HIPAA and cybersecurity best practices and implement mitigations against the most prevalent attack vectors. To safeguard against phishing and spear phishing, covered entities must implement advanced email security solutions that can handle the scanning and validation of URLs in email messages and have anti-malware features. Employee HIPAA training must be given to increase awareness of phishing threats and teach employees how to identify, prevent, and report phishing attacks.
Phishing-resistant multi-factor authentication must be enforced to secure accounts when credentials are exposed. Advanced anti-malware software programs must be set up on endpoints and need to be set for automatic update of signatures. Remote access software must be secured, which includes MFA. All software programs, firmware, and operating systems must use the most recent versions, with patches used immediately. Despite implementing all recommended mitigations, security breaches may still occur. It is thus necessary to regularly back up sensitive information, critical systems, and device settings to ensure quick repair and restoration in case of a successful cyberattack. Healthcare providers must also subscribe to threat intelligence services like CISA’s KEV catalog. Remediation of vulnerabilities that threat actors are actively exploiting must be prioritized.