A hooded hacker at a laptop, encircled by locks, cards, and encrypted messages.

Black Basta Ransomware Threat: CISA Issues Alert After Global Breach Of 500+ Organisations

Black Basta ransomware-as-a-service (RaaS) operation has targeted over 500 businesses and critical infrastructure services in North America, Europe, and Australia between April 2022 and May 2024. The FBI and CISA have issued an explicit alert on this concerning discovery.

Black Basta uses advanced strategies including anti-analysis measures, data exfiltration, and dual extortion via data leaks. To maintain its status as a dynamic and formidable threat to conventional security measures, the developers constantly include new evasion and obfuscation techniques.

According to a collaborative investigation with the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Centre (MS-ISAC), the group not only encrypted but also stole data from at least 12 out of 16 key infrastructure sectors.

Black Basta, identified as a Ransomware-as-a-Service (RaaS) group in April 2022, has quickly grabbed attention. Its associates have successfully breached a number of high-profile organisations, including the German defence contractor Rheinmetall, Hyundai’s European division, the United Kingdom’s technology outsourcing company Capita, the industrial automation giant and government contractor ABB, the Toronto Public Library, the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.

Following a series of offensive data breaches that led to its dissolution in June 2022, the Conti cybercrime syndicate split apart into many groups, one of which is thought to be Black Basta.

Elliptic and Corvus Insurance research shows that as of November 2023, over 90 victims had paid over $100 million to a ransomware group with links to Russia.

Paid ransoms and monthly reports on Black Basta attacks
Paid ransoms and monthly reports on Black Basta attacks (Elliptic)

According to a March 2023 report from the Department of Health and Human Services security team, this group’s rapid targeting of at least 20 victims within its first two weeks of operation indicates an advanced level of ransomware skill and consistent access to initial entry points.

Authorities claim that ransomware-as-a-service groups typically breach sites by using known vulnerabilities and phishing attacks. Still, most of the time they don’t instantly demand ransom or provide payment details.

After becoming victims, ransomware groups provide victims an encrypted code and URL to connect with them. Ransomware attackers typically give victims 10 to 12 days to pay before threatening to publish stolen data.

Black Basta associates started exploiting vulnerabilities such as PrintNightmare, NoPac, and ZeroLogon to elevate privileges. Additionally, they employed the Backstab tool to deactivate endpoint detection and response (EDR) systems and misused Remote Desktop Protocol (RDP) for lateral movement.

Black Basta Ransomware Targets Healthcare: Tactics and Defence Strategies Revealed in Joint Advisory

CISA has issued an additional alert that healthcare companies are significant targets for cybercrime. The factors that make healthcare companies especially attractive include their size, dependence on technology, availability of private health information, and vulnerability to interruptions in patient treatment.

Black Basta attackers executed a ransomware attack against Ascension, a St. Louis-based charity network that includes 140 hospitals in 19 states. According to Ascension’s announcement from Thursday evening, the attack has affected access to electronic health data, some phone systems, and other tools for ordering tests, treatments, and prescriptions.

As a result, Ascension has implemented downtime measures, including backup methods such as paper records, to ensure patient care during system outage.

The incident highlights the ongoing threat presented by ransomware attacks, as cybercriminals are known to employ Black Basta, a tool specifically targeted at healthcare organisations. The targeting of healthcare companies is especially disturbing, highlighting the catastrophic consequences of Black Basta’s careless exploitation of vulnerabilities.

The growing risk of Black Basta and other ransomware attacks demands immediate action from CISA and its cybersecurity partners. Organisations should carefully consider the complete mitigation techniques contained in the joint Cybersecurity Advisory (CSA) and take prompt action to apply them.

The joint advice offers users with the tactics, methods, and procedures (TTPs) and indications of compromise (IOCs) used by Black Basta affiliates as discovered during FBI investigations.

A high priority is placed on updating operating systems, software, and firmware to minimise the risk of ransomware attacks. Furthermore, they ought to provide Multi-Factor Authentication (MFA) that is resistant to phishing attacks on as many services as they can, and train users on how to spot and report phishing emails.

At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users security systems.

Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.

Recent posts