Uncle Sam urges action after Black Basta ransomware infects Ascension – Source: go.theregister.com

Multiple US security agencies have published advisories on Black Basta after the ransomware gang claimed responsibility for the recent attack on US healthcare provider Ascension.

Both CISA and Health-ISAC shared bulletins on Black Basta within hours of El Reg sources saying ransomware was involved in the incident and that some facilities had resorted to pen-and-paper operations. CNN later reported Black Basta specifically was behind it all.

The bulletins shared updated tactics, techniques, and procedures (TTPs) of the group, which has targeted organizations across at least 12 of 16 critical infrastructure sectors, including healthcare and public health (HPH), which has been targeted at an accelerated rate recently. The goal here is that IT departments in healthcare and beyond can use the info to defend against the gang.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the bulletin reads.

“The authoring organizations urge the HPH sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA.”

The headline takeaway from the bulletin is the scale at which Black Basta has operated since spinning up in April 2022. CISA said more than 500 organizations have been targeted by the group since its inception, which came shortly after the fall of the Conti group. Black Basta is believed to be one of the groups that spun off after Conti disbanded.

CISA also said the ransom notes left by Black Basta typically afford negotiators 10-12 days to issue a ransom payment before the victim’s data is posted online. There is currently no mention of Ascension on Black Basta’s blog five days after the attack.

Nothing has been shared by official resources regarding the ransom demands, but historical negotiations between victims and Black Basta, seen by The Register, show ransom demands deep into the six-figure realm.

Upon payment, victims receive a decryptor for their files and a short, step-by-step report on how the affiliate was able to compromise the organization. In most cases, employees open malicious attachments leading to the deployment of ransomware.

CISA’s bulletin concurred, saying spearphishing was the most common way Black Basta affiliates begin their attacks. Qakbot is sometimes used as the loader, while SystemBC, Mimikatz, CobaltStrike, and Rclone are often used further down the line.

More recently, affiliates have also started exploiting known vulnerabilities for initial access too. As of February this year, Black Basta was spotted exploiting the vulnerability in ConnectWise’s ScreenConnect to gain an initial foothold, an endeavor described by experts at the time as “embarrassingly easy.”

Health-ISAC said that older vulnerabilities from 2021, 2022, and 2023 have been exploited to launch Back Basta attacks, but everyone has patched these now, right?

• Windows common log file system driver – CVE-2022-35803 (7.8)

• VMware OpenSLP remote code execution bug – CVE-2021-21974 (8.8)

• Fortra GoAnywhere MFT command injection (also used by LockBit) – CVE-2023-0669 (7.2)

Affiliates have also been known to take advantage of the blossoming initial access broker (IAB) market for stolen, valid credentials to an organization’s network.

• FBI: Critical infrastructure suffers spike in ransomware attacks
• Capita says 2023 cyberattack costs a factor as it reports staggering £100M+ loss
• Southern Water cyberattack expected to hit hundreds of thousands of customers
• Jet engine dealer to major airlines discloses ‘unauthorized activity’

The main recommendations from security agencies to stop Black Basta attacks include patching vulnerabilities with a special focus on CISA’s KEV catalog, deploying phish-resistant MFA, securing remote access software, making backups, and educating staff about phishing emails.

Ascension’s rebuild continues

An Ascension spokesperson issued an update about the incident on Saturday, saying the faith-based organization is making progress but expects the restoration efforts to continue for some time.

“While our restoration work continues in earnest, our focus is on restoring systems as safely as possible,” the spokesperson said. “While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites. We will continue to share updates on our recovery process.”

The attack has disrupted Ascension’s operations significantly. Its systems responsible for electronic health records are still offline, as are those that are used to order specific tests, procedures, and medications. Some non-emergency elective procedures and appointments have also been paused.

“We understand the frustration this may cause and sincerely regret any inconvenience to our patients,” the spokesperson said.

Ascension’s 140 hospitals remain open but several are currently diverting ambulances and emergency cases due to the downtime procedures relating to key systems. Per El Reg’s previous reporting, Ascension facility staff have resorted to manual pen-and-paper operations as a result.

“Downtime procedures are safe clinical practices born out of necessity,” Ascension said. “They are predefined steps that all healthcare organizations follow during a system or network failure developed in case of a potential threat. 

“We are taking all necessary precautions at this time and our downtime procedures require our highly qualified, dedicated medical, nursing, and clinical teams to utilize manual processes to ensure patients are properly cared for.”

The healthcare provider said it wasn’t able to solidify a recovery timeline, but committed to providing regular progress updates. ®