Digital world map with glowing network connections and a ransomware warning symbol, highlighting the global spread of Black Basta ransomware.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) disclosed today that affiliates of the Black Basta ransomware have infiltrated more than 500 organizations between April 2022 and May 2024.

According to a comprehensive report released in conjunction with the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), these agencies revealed that the criminal group also executed encryption and data theft in at least 12 of the 16 critical infrastructure sectors.

While specific motivations for the current advisory were not disclosed by the federal agencies, Black Basta was recently associated with a presumed ransomware assault on the systems of the healthcare conglomerate Ascension. This attack compelled the U.S. healthcare network to reroute ambulances to unaffected facilities.

Additionally, on Friday, the Health-ISAC issued a threat bulletin indicating a recent surge in Black Basta ransomware attacks targeting the healthcare sector.

Originating as a Ransomware-as-a-Service (RaaS) operation in April 2022, Black Basta’s affiliates have successfully breached several high-profile entities, including German defense contractor Rheinmetall, Hyundai’s European division, U.K. technology outsourcing firm Capita, industrial automation and government contractor ABB, the Toronto Public Library, the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.

Following the dissolution of the Conti cybercrime syndicate in June 2022 after several significant data breaches, it fragmented into multiple factions, one of which is believed to be Black Basta.

The HHS security team noted in a March 2023 report, “The threat group’s rapid targeting of at least 20 victims in its first two weeks demonstrates its expertise in ransomware and a stable source of initial access. The high level of sophistication exhibited by its skilled ransomware operators and their avoidance of recruitment or advertising on Dark Web forums have led many to suspect that the nascent Black Basta might be a rebranded version of the Russian-speaking RaaS group Conti, or linked to other Russian-speaking cyber threat groups.”

Research by Elliptic and Corvus Insurance indicated that this Russian-affiliated ransomware gang has amassed at least $100 million in ransom payments from over 90 victims until November 2023.

The joint advisory also offers defenders insights into the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) employed by Black Basta affiliates, as identified in FBI investigations.

To mitigate the risk of Black Basta ransomware attacks, defenders are advised to maintain up-to-date operating systems, software, and firmware, implement phishing-resistant Multi-Factor Authentication (MFA) for as many services as possible, and educate users on recognizing and reporting phishing attempts.

Moreover, securing remote access software with CISA-recommended mitigations, regularly backing up device configurations and critical systems for expedited repairs and restoration, and implementing the mitigations outlined in the StopRansomware Guide are essential.

The agencies specifically emphasized the heightened risks faced by healthcare organizations from this ransomware operation and urged them to apply the recommended mitigations to prevent potential attacks.