CISA, HHS warn healthcare of Black Basta ransomware attacks

Healthcare organizations should harden their systems to protect against Black Basta ransomware, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and HHS warned in a joint cybersecurity advisory (CSA).  

As previously reported, Black Basta emerged in 2022 and has remained a threat to healthcare and other critical infrastructure sectors since. The ransomware as a service variant has been leveraged against 12 of the 16 designated critical infrastructure sectors across North America, Europe and Australia, enabling threat actors to encrypt and steal data. 

Black Basta threat actors use tried-and-true techniques such as spear phishing and exploiting known vulnerabilities to gain initial access. These actors have been observed exploiting a ConnectWise ScreenConnect vulnerability involving authentication bypass (CVE-2024-1709). Additionally, the affiliates use credential scraping tools such as Mimikatz to further their attacks.

Following access, they typically use a double-extortion model to encrypt systems and steal data. The CSA warned that Black Basta affiliates have used PowerShell to disable antivirus products and have deployed a tool known as Backstab to disable endpoint detection and response technology.

“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the CSA stated.

The authoring entities urged healthcare organizations to look at the indicators of compromise and apply the mitigations mentioned in the CSA to reduce the likelihood of a Black Basta attack.

The recommended mitigations include requiring phishing-resistant multi-factor authentication, training users to report phishing attempts, securing remote access software, and promptly installing operating system and software updates.

“Recent actionable cyber threat intelligence provided by our partners at federal agencies and the Health-ISAC indicate that this known Russian-speaking ransomware gang is actively targeting the U.S. and global health care sector with high-impact ransomware attacks designed to disrupt operations,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA).

“It is recommended that this alert be reviewed with high urgency and the identified ransomware signatures be immediately loaded into network defenses and threat hunting tools. It is also recommended that the identified cyber risk mitigation practices be implemented as soon as feasible.”