Black Basta Ransomware Breached Over 500 Organizations

In a joint report published by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), it was stated affiliates associated with the Black Basta have breached the networks of over 500 organizations worldwide.

Black Basta Ransomware Breached Over 500 Organizations

Black Basta was first seen in any operational capacity in April 2022. The rise of Black Basta occurred concurrently with the demise of the Conti ransomware gang, whose operations ceased after a series of embarrassing data leaks crippled the gang.

Shortly after Black Basta’s emergence, threat actors affiliated with the ransomware have already breached 12 networks of significant organizations. That number only increased in the first two weeks of operations to 20. One sector that proved favorable for targeting was organizations in healthcare.

In the following years, the Health Sector Cyber Security Coordinator stated in a report,

Although Black Basta was first observed in April 2022, evidence suggests that the RaaS threat group was in development since February 2022. In its first two weeks alone, at least 20 victims were posted to its leak site, a Tor site known as Basta News. It exclusively targets large organizations in the construction and manufacturing industries, but was also observed to target other critical infrastructure, including the health and public health sector. While primairly targeting organizations within the United States, its operators also expressed interest in attacking other English-speaking countries’ organizations in Australia, Canada, New Zealand, and the United Kingdom. Threat actors that used the ransomware have additionally impacted organizations based in the United States, Germany, Switzerland, Italy, France, and the Netherlands.

Only a few years later, Black Basta has successfully targeted over 500 organizations. In the recently published CISA report, law enforcement officials noted regarding targeting and tactics,

...Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector…Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Given that Black Basta affiliates will use several techniques and tactics to infect tarted networks, the organization should apply several proven attack mitigation strategies, particularly in the healthcare sector. CISA has published a comprehensive mitigation guide that should be treated as required reading for an admin or IT staff looking to prevent ransomware attacks.

Healthcare Network Ascension Suffers Possible Black Basta Attack

As if to highlight the serious threat posed by Black Basta, as illuminated by CISA and the FBI, US Healthcare Network Ascension reported it had suffered a cyber incident. Ascension is one of the largest private healthcare systems in the United States, operating 140 hospitals and 40 senior care facilities across 19 states and the District of Columbia.

The nonprofit health system has 8,500 providers, 35,000 affiliated providers, and 134,000 associates. In 2023, it reported a total revenue of 28.3 billion USD.

The incident was initially reported on May 8, 2024, and resulted in hospitals diverting ambulances to other locations following clinical operation disruptions due to system outages.

By May 10, it was reported that critical systems were still offline, including the MyChart electronic health records system, which patients use to view their medical records and communicate with their providers. The attack also took down some phone systems and systems for ordering tests, procedures, and medications.

In a statement issued by Ascension, which is at the time of writing offline, the company said,

On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cyber security event, We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues. Out of an abundance of caution, we are recommending that business partners temporarily suspend the connection to the Ascension environment. We will inform partners when it is appropriate to reconnect into our environment,

Ascension has made no effort to say the exact cause of the incident; however, sources close to the matter told CNN that the healthcare group suffered a ransomware attack.

Sources also believe the offending piece of ransomware to be Black Basta. This coincides with a threat advisory issued by Health-ISAAC that warns the healthcare sector of a significant uptick in Black Basta activity.

Black Basta has also claimed the scalps of several other multinational organizations, including German defense contractor Rheinmetall, U.K. technology outsourcing company Capita, industrial automation company and government contractor ABB, and the Toronto Public Library.

It has been estimated that the ransomware gang raked in over 100 million USD from the start of the operation in April 2022 to November 2023, receiving ransomware payments from over 90 victims. Clearly, Black Basta threatens any organization that has fallen behind on their cyber security upkeep.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal