On March 15, the Health Sector Cybersecurity Coordination Center (HC3) published a threat profile on the Russian-speaking Black Basta ransomware group. The group was first spotted in 2022 and is known for its double extorsion ransomware attacks. The group executes ransomware, but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom.
The profile says that “The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta. Nevertheless, as ransomware attacks continue to increase, this Threat Profile highlights the emerging group and its seasoned cybercriminals and provides best practices to lower risks of being victimized.”
That said, “Having already attacked several health and public health sector organizations in 2022, Black Basta is a credible threat to the sector. In its first year alone, the group exclusively targeted U.S.-based organizations, seeking to purchase network access credentials for companies specifically located there. In these attacks, Black Basta not only affected the websites of specific health information technology, healthcare industry services, laboratory and pharmaceutical, and health plans organizations across multiple states, but also cumulatively stole several gigabytes of data on personal identifiable information (PII) for members of health organizations, their customers, and employees. Continued and future attacks on and unpatched critical vulnerabilities in the public health and healthcare systems sector could be potentially life threatening, the impact of which would be devasting to critical infrastructure.”
Black Basta, according to the profile, is related to or has current and/or former operations with Conti, FIN7, and/or BlackMatter. The connection to these groups could be why Black Basta’s recent activity is highly sophisticated in nature. The group is primarily financially motivated, demanding ransom fees that exceed millions of dollars. Additionally, the group has publicized interest in targeting English-speaking countries, which suggests a pollical agenda.
TTPs observed from Black Basta include insecure and vulnerable remote desktop protocol (RDP) configuration, phishing campaigns, malicious downloads, web injections, and repackaged or infected installer.
“Black Basta’s high-volume attacks in 2022 suggest that they will continue to attack and extort organizations,” the profile comments. “As RaaS threat groups become more prolific, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks.”