Advisory Issued for Black Basta Ransomware

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS) issued a joint Cybersecurity Advisory for Black Basta ransomware. Black Basta is a Russian-backed ransomware-as-a-service that was first identified in April 2022 and has impacted more than 500 organizations worldwide. In the US, 12 critical infrastructure sectors have experienced encrypted and stolen data as a result of the ransomware.

The most notable Black Basta incident to date is the May 8th attack on Ascension Health Systems, which includes 140 hospitals across nineteen states and Washington D.C. The attack took IT systems offline, causing appointments to be canceled, ambulance diversions, and other disruptions.

How Black Basta Operates

Black Basta affiliates use common attack methods like phishing and exploiting known vulnerabilities to gain access to a network. They then employ a double-extortion model, both encrypting systems and exfiltrating data. Typically, the ransom notes do not include an initial ransom demand or payment instructions. The notes give victims a unique code and tell them to contact the ransomware group via a .onion URL. In most cases, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Technical details for Black Basta can be found on the advisory website.

Victims of Black Basta or any other ransomware are encouraged to report the attack to the FBI or CISA through one of the following avenues, FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]).

Ransomware’s Continued Impact on the Healthcare Industry

The Black Basta attack on Ascension is not the first or largest ransomware attack in healthcare in 2024. In February, Change Healthcare fell victim to the ALPHV Blackcat ransomware. The impact of that attack on the industry has been huge. One survey found that 74% percent of hospitals were experiencing interruptions to patient care and 94% of hospitals were impacted financially.

Listen to our podcast to learn more about the impact of the Change Healthcare attack and the lessons we can all learn from the incident.

Mitigation Actions

There are multiple actions organizations can take to minimize the likelihood of being the victim of ransomware or other cyber-attacks. These steps can also help a business respond and recover faster if they are attacked. Recommended mitigation actions include:

• Install updates for operating systems, software, and firmware as soon as they are released
• Require phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize and report phishing attempts
• Secure remote access software
• Make backups of critical systems and device configurations
• Carefully vet and monitor third-party vendors that have access to your data
• Proactively monitor systems and networks to detect unusual activities faster
• Develop and test a response plan

Organizations can also leverage security frameworks like HITRUST or SOC 2 to develop and implement reliable cybersecurity programs. In 2024, HHS published its Cybersecurity Performance Goals (CPGs), another resource to help organizations implement high-impact cybersecurity practices.

Alerts on the CISA Stop Ransomware website will allow you to stay current on new and emerging threats. In 2022, an alert was issued on the ALPHV Blackcat ransomware, nearly two years before it took down Change Healthcare.

CompliancePoint has helped healthcare organizations nationwide evaluate and strengthen their cybersecurity practices. We can also help organizations achieve HIPAA compliance and HITRUST certification. To learn more about our services, contact us today at connect@compliancepoint.com.