After Ascension ransomware attack, feds issue alert on Black Basta group

Several U.S. government agencies warned that the Black Basta ransomware gang is targeting the healthcare industry and 12 of the 16 critical infrastructure sectors. 

In a Friday afternoon advisory, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) said Black Basta has attacked at least 500 organizations globally between April 2022 and May 2024.

According to the agencies, the ransomware-as-a-service gang typically breaches organizations through phishing attacks and known vulnerabilities but does not provide ransom demands or payment information immediately.

Victims are given a unique code and link to communicate with the ransomware gang. Many victims are given between 10 and 12 days to pay a ransom before stolen data is published. 

The advisory comes after CNN reported on Thursday night that four sources said the Black Basta ransomware was behind the attack on nonprofit healthcare system Ascension. 

The Catholic organization runs hundreds of hospitals across the U.S. and has been forced to turn away ambulances, revert to paper records and cancel non-emergency appointments this week due to the technology outages caused by the incident.  

Several federal agencies, including HHS and the FBI are involved in the recovery effort. An HHS spokesperson told Recorded Future News that the department is in communication with Ascension Leadership “to understand their efforts to minimize any disruptions to patient care.”

“This incident serves as an important reminder of the urgency of strengthening cybersecurity resiliency in healthcare. HHS encourages all providers, technology vendors, payers, and members of the healthcare ecosystem to double down on cybersecurity,” they said. 

ConnectWise bug 

The departments said that in February, Black Basta affiliates began exploiting CVE-2024-1709, a vulnerability affecting ConnectWise’s ScreenConnect which allows for secure remote desktop access and mobile device support.

The bug was immediately used by several ransomware gangs when it emerged and caused panic because of its widespread usage among managed service providers (MSPs).

Friday’s advisory warned that affiliates also use tools like the SoftPerfect network scanner to search networks for vulnerable tools. Other vulnerabilities exploited by the group include ZeroLogon, NoPac and PrintNightmare, according to the agencies. 

The agencies specifically warned that healthcare organizations “are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.”

HHS said last year that the group “may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups.”

Industry group Health-ISAC released its own advisory on Friday about Black Basta and said data shows it has extorted at least $100 million dollars since its emergence.

“In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions,” Health-ISAC said. “Taking these latest developments into consideration, Health-ISAC has assessed that Black Basta represents a significant threat to the healthcare sector.”

Black Basta has taken credit for brazen attacks on the Dish Network, the American Dental Association, British outsourcing company Capita, Swiss tech giant ABB and German arms company Rheinmetall.

Since emerging, it has become the fourth-most active strain of ransomware based on the number of victims tracked over the last year, according to one report.

The gang has leaked information from organizations such as the Raleigh Housing Authority in North Carolina; a television advertising sales and technology company jointly owned by the three largest U.S. cable operators; and Chile's government.