The Health Sector Cybersecurity Coordination Center (HC3) has issued an Analyst Note warning the health sector about the Black Basta Ransomware Gang, an emerging cyber threat that first appeared in early 2022. The Russian-speaking group is known for its double extortion attacks, where it not only deploys ransomware but also steals sensitive data, threatening to release it publicly if the ransom is not paid.
Within the first two weeks of its operation, Black Basta targeted at least 20 victims, showcasing its ransomware expertise and access capabilities. There are suspicions that Black Basta might be a rebrand of Conti, a Russian-speaking Ransomware-as-a-Service (RaaS) group, or affiliated with other Russian-speaking cybercriminal organizations.
In early 2022, Black Basta emerged as a significant threat to the health and public health sectors, targeting several organizations and acquiring network access credentials specifically for U.S.-based companies. These attacks have impacted websites in multiple healthcare subsectors and resulted in the acquisition of large amounts of personally identifiable information (PII) from healthcare organizations, their employees, and customers. With critical vulnerabilities in public health and healthcare systems left unpatched, the consequences could be potentially life-threatening and impact critical infrastructure.
Despite being first observed in April 2022, evidence suggests that the Ransomware-as-a-Service (RaaS) group had been in development since February 2022. Historically, Black Basta’s main targets were large organizations in the construction and manufacturing industries. However, recent attacks have shown the group’s willingness to expand its targets to other critical infrastructure sectors, including health and public health. While the group mainly targets organizations in the United States, it has also expressed interest in attacking organizations in other English-speaking countries such as Australia, Canada, New Zealand, and the United Kingdom.
The successful and intricate operations of Black Basta share similarities with private groups such as Conti, TA505, and Evil Corp.The group uses a targeted approach, carefully assessing victims before launching an attack. It either excludes affiliates or collaborates with a limited and trusted set of affiliates. Black Basta has managed to breach critical infrastructure in multiple countries by maintaining a low profile. Although Black Basta is identified as a unique RaaS group and ransomware, its tactics, techniques, and procedures (TTPs) have similarities with other Russian-speaking threat actors. This has led to speculation that the group is closely related to or has current and former operators from groups like Conti, FIN7, and/or BlackMatter. The possible connection to these groups could explain the high level of sophistication behind Black Basta’s recent activity. Black Basta’s primary motivation is financial gain, with some ransom demands exceeding millions of dollars. However, the group’s interest in targeting English-speaking countries may suggest a potential political agenda.
To protect against Black Basta’s threats, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks. The HC3 Analyst Note provides a range of mitigation measures, countermeasures, indicators of compromise, and other courses of action that organizations can take to minimize their exposure to and the potential impact of a ransomware attack. For example, HC3 recommends that organizations implement multi-factor authentication, regularly backup data, maintain up-to-date anti-virus and anti-malware software, and establish incident response plans. Furthermore, organizations should conduct regular training and awareness programs to educate employees on the latest cybersecurity threats and how to identify and respond to potential attacks. Additionally, organizations should conduct regular vulnerability assessments and patch management to address potential weaknesses in their systems. These measures can help healthcare organizations minimize the risk of a ransomware attack and protect sensitive patient data.
