Following Ascension hospitals breach, FBI raises Black Basta alert


Black Basta Ransomware affiliates have impacted over 500 private industry and critical infrastructure entities worldwide, including healthcare. After Ascension Health Systems was breached, the US Cyber authorities issued some recommended actions and mitigations to fight the menace.

Black Basta is a ransomware variant that’s been used by threat actors to encrypt and steal data from at least 12 out of 16 critical infrastructure sectors. The latest attacks include healthcare and public health.

Black Basta is believed to be responsible for a recent breach at the massive non-profit Catholic healthcare organization Ascension, which operates 140 hospitals and 40 senior care facilities across the US. As of May 11th, some hospitals are temporarily not accepting emergency patients due to downtime procedures, and the process of system restoration “will take time to complete,” according to the statement.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” according to the advisory released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and other agencies.

Cyber authorities are urging hospitals and all critical infrastructure organizations to reduce the likelihood of compromise from Black Basta and others by applying the newly released recommendations.

How does Black Basta operate?

The first variant of Black Basta ransomware-as-a-service was identified in April 2022. Since then, more than 500 organizations in a wide range of businesses and critical infrastructure across North America, Europe, and Australia have fallen victim to it.

“Black Basta affiliates use common initial access techniques – such as phishing and exploiting known vulnerabilities – and then employ a double-extortion model, both encrypting systems and exfiltrating data,” the report reads.

The cyber gangsters usually leave victims 10-12 days to pay the ransom before the stolen data is published on the dark web. Ransom notes do not generally include an initial ransom demand or payment instructions but a “unique code” instead, leading to a .onion page.

Affiliates primarily rely on spearphishing to gain initial access. This type of attack targets specific individuals to deliver malware and compromise systems. Researchers have observed cybercriminals delivering Qakbot malware variants by email and macro-based MS Office documents.

More recently, Black Basta affiliates began exploiting ConnectWise's vulnerability, previously described as “cybersecurity powderkeg,” affecting ScreenConnect remote desktop and access software. Sometimes, they abuse valid credentials obtained by other means.

In later stages, threat actors scan the network with a tool such as netscan.exe and others, move laterally, escalate privileges, and disable antivirus products using a multitude of malware variants and exploits. Sometimes, they masquerade their software with innocuous file names such as Intel or Dell.

“Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files. A .basta or otherwise random file extension is added to file names, and a ransom note titled readme.txt is left on the compromised system. To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies,” the report reads.

Black Basta is believed to be a faction of the notorious Russian Conti ransomware gang, raking in over $100 million in bitcoin ransom payments.

What should network defenders do?

Cyber authorities’ guidelines include the following:

  • Install updates for operating systems, software, and firmware as soon as they are released, and prioritize patching known exploited vulnerabilities.
  • Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.
  • Train users to recognize and report phishing attempts and implement other recommendations from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
  • Secure remote access software by applying mitigations from the joint Guide to Securing Remote Access Software.
  • Make backups of critical systems and device configurations to enable devices to be repaired and restored.
  • Apply mitigations from the joint #StopRansomware Guide.

Additional recommendations for critical infrastructure defenders include asset management and security techniques, email security and phishing prevention software, access management and other protections, exercises, testing, and validation.