Black Basta ransomware group is imperiling critical infrastructure, groups warn

Federal agencies, health care associations, and security researchers are warning that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations in the past two years.

One of the latest casualties of the native Russian-speaking group, according to CNN, is Ascension, a St. Louis-based health care system that includes 140 hospitals in 19 states. A network intrusion that struck the nonprofit last week ​​took down many of its automated processes for handling patient care, including its systems for managing electronic health records and ordering tests, procedures, and medications. In the aftermath, Ascension has diverted ambulances from some of its hospitals and relied on manual processes.

“Severe operational disruptions”

In an Advisory published Friday, the FBI and the Cybersecurity and Infrastructure Security Agency said Black Basta has victimized 12 of the country’s 16 critical infrastructure sectors in attacks that it has mounted on 500 organizations spanning the globe. The nonprofit health care association Health-ISAC issued its own advisory on the same day that warned that organizations it represents are especially desirable targets of the group.

“The notorious ransomware group, Black Basta, has recently accelerated attacks against the healthcare sector,” the advisory stated. It went on to say: “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions.”

Black Basta has been operating since 2022 under what is known as the ransomware-as-a-service model. Under this model, a core group creates the infrastructure and malware for infecting systems throughout a network once an initial intrusion is made and then simultaneously encrypting critical data and exfiltrating it. Affiliates do the actual hacking, which typically involves either phishing or other social engineering or exploiting security vulnerabilities in software used by the target. The core group and affiliates divide any revenue that results.

Recently, researchers from security firm Rapid7 observed Black Basta using a technique they had never seen before. The end goal was to trick employees from targeted organizations to install malicious software on their systems. On Monday, Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann reported:

Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.

Example spam email

Credit: Rapid7

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.

In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.

When an employee complies, the attackers execute malicious scripts that are disguised to appear as legitimate software updates. The scripts install persistent malware in stages that eventually allows the infected device to be controlled by attacker-operated servers. From there, the malware harvests passwords or other credentials stored on the device and sends them to the attackers.

“In one observed case, once the initial compromise was completed, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, and ultimately failed to deploy Cobalt Strike despite several attempts,” the researchers wrote. “While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal and open source intelligence.”

Living off the land

Impacket is a tool administrators and hackers use to assess and secure network environments. The Black Basta malware Rapid7 observed was using the tool to interact with Server Message Block, a resource in Windows operating systems that allows for files to be shared over a network. When in possession of passwords securing devices inside a network, SMB can be a powerful means for spreading ransomware and other forms of malware. Cobalt Strike, meanwhile, is a tool admins and hackers use to test network security.

Black Basta and its affiliates have long been known to use a wide array of such tools, including BITSAdmin, PsExec, Remote Desktop Protocol (RDP), Splashtop, Screen Connect, SoftPerfect, and Mimikatz. The use of legitimate tools in cyberattacks is known in security circles as living off the land. By avoiding the use of custom software, the technique makes detection harder.

Besides social engineering to gain an initial foothold inside targeted networks, Black Basta attackers also exploit known vulnerabilities that the organizations have yet to patch. Recent exploited vulnerabilities include the critical Windows vulnerabilities known as ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare, as well as CVE-2024-1709 in the ScreenConnect application made by ConnectWise.

Black Basta attackers don’t usually send ransom demands or payment information immediately after compromising a target. Instead, victims receive a unique code for communicating with attackers over an anonymous site on the TOR network. Typically, Black Basta gives the victims 10 to 12 days to pay before stolen data is published on the group’s name-and-shame site.

All three advisories include cryptographic hashes of files, IP addresses, and other forensic evidence organizations use to determine if they have been targeted by Black Basta. They also provide recommendations for protecting networks against intrusions by the group and other ransomware actors.