Agencies Alert of Increasing Attacks on Healthcare Providers by Black Basta Ransomware Group

The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Multi-State Information Sharing and Analysis Center, and Department of Health and Human Services published a joint cybersecurity alert about the Black Basta ransomware variant. Threat actors used this ransomware to encrypt files and steal data from roughly 12 critical infrastructure sectors, such as the healthcare and public health sectors.

AHA members got a Cybersecurity Advisory with specifics on the attacks and technical mitigation advice. Hospitals must pass this data on to their IT and cybersecurity staff.

According to John Riggi, AHA’s national advisor for cybersecurity and risk, government agencies and the Health-ISAC provided cyber threat intelligence about this identified Russian-speaking ransomware group that is actively attacking the U.S. and international healthcare sector to disrupt treatment operations. The recommendation is to review this alert and load the identified ransomware signatures immediately into system defenses and threat-hunting applications. It is additionally recommended that cyber risk mitigation practices be implemented right away.

In 2023, the top 3 ransomware groups are LockBit, ALPHV/Blacktcat, and Black Basta. Now, Black Basta is in the top 2 with the shutdown of the Blackcat ransomware group. Black Basta attacks are increasing, specifically on critical infrastructure entities. With the help of affiliates, there had been 12 attacks on 12 critical infrastructure sectors. A recent ransomware attack by Black Basta was on Ascension which upset medical treatments at 140 hospitals.

Black Basta first appeared in April 2022 and was known to have Conti ransomware group members. The RaaS group was connected to the FIN7 threat actor. The group uses double extortion techniques, exfiltrating sensitive data before encrypting files. Afterward, the group demands a ransom payment from the victims to stop the exposure of the stolen data on its data leak website and to give the decryption keys. The group boasts of extorting over $100 million from victims after conducting over 500 ransomware attacks.

As per the Health Information Sharing and Analysis Center (Health-ISAC), in April alone, the group has attacked two healthcare providers that resulted in massive operational disruptions. That is why the joint cybersecurity advisory was issued as part of CISA’s Stop Ransomware effort. Information on the current tactics, techniques, and procedures (TTPs) employed by the Black Basta group and current indicators of compromise (IoCs) discovered by the FBI are included in the advisory.

Black Basta utilizes various methods for preliminary access to victims’ systems like sending spear phishing emails to staff in targeted companies. The group also uses QakBot malware, stolen credentials ordered from initial access brokers, and vulnerability exploitation. The vulnerabilities exploited by the group include NoPac (CVE-2021-42287 and CVE-2021-42278), ConnectWise (CVE-2024-1708 and CVE-2024-1709), and ZeroLogon (CVE-2020-1472).

The group also uses the following tools for remote access, lateral movement, reconnaissance, escalating privileges, data exfiltration, and file execution:

  • BITSAdmin
  • WinSCP
  • Cobalt Strike
  • Mimikatz
  • PowerShell
  • PSExec
  • RClone
  • ScreenConnect
  • SoftPerfect
  • Splashtop

The group exfiltrates sensitive information, removes shadow copies to impede recovery, deletes antivirus and endpoint detection applications, and encrypts files. Then, a ransom note is sent to the victims requiring a payment negotiation.

To be prepared for common attack vectors, the alert advises critical infrastructure entities including healthcare providers the following cybersecurity best practices:

  • Implement advanced email security solutions to scan and validate URLs in emails
  • Get anti-malware tools that are set for automatic updates
  • Provide end-user training to increase awareness of phishing attacks
  • Train the employees how to identify, avoid, and submit phishing reports
  • Use phishing-resistant multi-factor authentication to secure accounts in case of a breach of credentials
  • All software programs and operating systems must be working on the newest versions
  • Apply patches immediately, if any.

Despite the implementation of recommended mitigations, a breach may still occur. Therefore, as HIPAA laws require, sensitive data must be backed up regularly and stored securely. Healthcare organizations need threat intelligence services, such as the KEV catalog of CISA. Make sure to remediate vulnerabilities that threat actors are actively exploiting.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X