After the Ascension Hospital Cyber Attack, a joint advisory on Friday by FBI, CISA, and HHS warned that the Black Basta ransomware group has been aggressively targeting healthcare organizations and 12 of the 16 critical infrastructure sectors in the United States.
Between April 2022 and May 2024, the agencies reported that Black Basta conducted over 500 cyberattacks globally.
The advisory stated Black Basta commonly gains initial access to networks through phishing emails that exploit employees or unpatched vulnerabilities.
According to the government agencies, once inside an infected system the ransomware operators do not immediately reveal ransom demands or payment instructions. Instead, the gang takes time to further infiltrate company networks before encrypting files and disrupting operations.
The inter-agency warning sought to inform U.S. organizations working in critical sectors like healthcare of the emerging ransomware threat posed by Black Basta. Given the group’s pattern of stealthy intrusions before ransom notes, the advisory stressed the importance of security best practices like employee training, software updates, and network monitoring.
According to the advisory, the Black Basta ransomware-as-a-service gang typically breaches organizations through phishing attacks and known vulnerabilities.
Victims are given a unique code and link to communicate with the ransomware operators. However, the gang does not immediately provide ransom demands or payment information. Many victims are instead given a 10 to 12 day deadline to pay before any stolen data is published online.
This latest warning comes after a CNN report on Thursday that sources said Black Basta was behind the cyberattack on Ascension. Ambulances were also reportedly turned away from some facilities this week.
Several federal agencies including HHS and the FBI are involved in recovery efforts to help minimize disruptions to patient care, according to an HHS spokesperson cited by Recorded Future News.
The agencies notified the public of the Black Basta gang’s tactics in light of the serious impact of the Ascension cyber attack and to help other critical infrastructure sectors strengthen their defenses.
“This incident serves as an important reminder of the urgency of strengthening cybersecurity resiliency in healthcare. HHS encourages all providers, technology vendors, payers, and members of the healthcare ecosystem to double down on cybersecurity,”
Black Basta Ransomware Exploits the ConnectWise ScreenConnect Vulnerability
The advisory noted Black Basta affiliates have begun taking advantage of CVE-2024-1709, a vulnerability in ConnectWise’s ScreenConnect remote desktop and mobile support software. The bug emerged in February and was immediately exploited by several ransomware groups due to ScreenConnect’s broad use among managed service providers (MSPs).
This caused widespread panic as it allowed easy access to the customer networks of MSPs. Friday’s warning also stated Black Basta affiliates use tools such as the SoftPerfect network scanner to probe systems for vulnerable programs.
Other vulnerabilities the group has leveraged include ZeroLogon, NoPac and PrintNightmare, according to the government agencies.
The notification aimed to make organizations aware of the ransomware gang’s pursuit of high-impact vulnerabilities to expand the scope of their intrusions.
Patches for flaws like the ConnectWise issue should be prioritized given Black Basta’s willingness to rapidly turn vulnerabilities into ransomware deployment vectors.
The agencies called out healthcare organizations as attractive targets, citing their size, reliance on technology, access to sensitive patient health information, and the severe consequences of care disruptions from cyber incidents.
Last year, HHS assessed Black Basta. They said:
“may even be a rebrand of the Russian-aligned RaaS group Conti, or otherwise linked to other Russian-speaking cyber threats.”
The industry group Health-ISAC also issued an advisory on Friday about Black Basta. Drawing from their own data, Health-ISAC reported the ransomware operation has already extorted over $100 million since emerging on the threat landscape.
“In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions,”
Health-ISAC said.
“Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector.”
Black Basta Has Become the Fourth Most Active Ransomware Strain in the Past Year
Black Basta has also taken credit for attacks on the Dish Network, the American Dental Association, British outsourcing company Capita, Swiss tech giant ABB and German arms company Rheinmetall.
Since emerging, it has become the fourth-most active strain of ransomware based on the number of victims tracked over the last year, according to one report.
The gang has leaked information from organizations such as the Raleigh Housing Authority in North Carolina; a television advertising sales and technology company jointly owned by the three largest U.S. cable operators; and Chile’s government.
