Federal agencies, healthcare associations and security researchers warn that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations over the past few years. last two years.
According to CNN, one of the Russian-speaking group’s latest casualties is Ascension, a St. Louis-based health system that includes 140 hospitals in 19 states. A network intrusion that hit the nonprofit organization last week destroyed many of its automated patient care management processes, including its electronic health records management and test ordering systems, procedures and medications. Subsequently, Ascension diverted ambulances from some of its hospitals and relied on manual processes.
“Serious operational disruptions”
In an advisory released Friday, the FBI and the Cybersecurity and Infrastructure Security Agency said Black Basta victimized 12 of the nation’s 16 critical infrastructure sectors in attacks it launched against 500 organizations around the world. The healthcare nonprofit Health-ISAC issued its own advisory the same day warning that the organizations it represents are particularly sought-after targets by the group.
“The notorious ransomware group, Black Basta, has recently accelerated its attacks against the healthcare industry,” the advisory said. He continues: “Over the past month, at least two healthcare organizations, in Europe and the United States, have fallen victim to Black Basta ransomware and suffered severe operational disruptions. »
Black Basta has been operating since 2022 under the so-called ransomware-as-a-service model. Under this model, a central group creates the infrastructure and malware necessary to infect systems across a network once an initial intrusion is made, then simultaneously encrypt critical data and exfiltrate it. Affiliates carry out the actual hacking, which typically involves either phishing, other social engineering, or exploiting security vulnerabilities in software used by the target. The core group and affiliates share the resulting revenue.
Recently, researchers from security company Rapid7 observed Black Basta using a technique they had never seen before. The end goal was to trick employees of targeted organizations into installing malware on their systems. On Monday, Rapid7 analysts Tyler McGraw, Thomas Elkins and Evan McCann reported:
Since the end of April 2024, Rapid7 has identified several cases of new social engineering campaigns. Attacks begin when a group of users in the target environment receives a large volume of spam emails. In all cases observed, the spam was significant enough to overwhelm existing email protection solutions and arrive in the user’s inbox. Rapid7 determined that many of the emails themselves were not malicious, but rather consisted of newsletter subscription confirmation emails from many legitimate organizations around the world.
Enlarge / Example of spam
Fast7
With emails sent and affected users struggling to cope with the volume of spam, the threat actor then began calling affected users pretending to be a member of their organization’s IT team, reaching out to offer assistance with their email issues. For each user he called, the threat actor attempted to socially trick them into providing remote access to their computer using legitimate remote monitoring and management solutions. In all cases observed, Rapid7 determined that initial access was facilitated by either downloading and running the commonly used RMM solution, AnyDesk, or the built-in Windows remote assistance utility Quick Assist.
In the event that the threat actor’s social engineering attempts failed to convince a user to provide remote access, Rapid7 observed that they would immediately move on to another user who had been targeted by their spam emails by mass.
