HC3 Raises Alarm Over Black Basta Ransomware Group as a Threat to Healthcare

March 17, 2023 - The healthcare sector faces a new cybersecurity threat as the Black Basta ransomware group emerges, the Health Sector Cybersecurity Coordination Center (HC3) warned in a threat profile. The ransomware group, with potential ties to Conti and FIN7, is known for its sophisticated attacks on larger organizations, including those within the healthcare sector.

First identified in early 2022, Black Basta employs a double extortion strategy to steal sensitive data from targeted organizations, leveraging the threat of public disclosure during extortion. HC3 stated that the group targeted at least 20 victims, many targets in the healthcare and public health sector, during its first two weeks of operation, demonstrating its experience in ransomware and a consistent source of initial access.

Black Basta exclusively targeted US-based organizations throughout its first year, breaching health information technology, healthcare services, laboratories, pharmaceuticals, and health plans across multiple states. The ransomware group’s attacks also led to stolen gigabytes of personally identifiable information (PII) from health organizations, customers, and employees.

“Black Basta’s high-volume attacks in 2022 suggest that they will continue to attack and extort organizations,” HC3 wrote in the threat profile. “As RaaS threat groups become more prolific, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks.”

“Organizations can take several multilayered actions to minimize their exposure to and the potential impact of a ransomware attack. While there is no specific set of recommendations to hinder Black Basta’s custom capabilities, this Threat Profile presents a sample of mitigations, countermeasures, indicators of compromise, and other courses of action from various cybersecurity organizations and publications.”

According to HC3, the ransomware group is likely motivated by financial gain. Researchers have observed that the group sometimes even demands a ransom fee that exceeds millions of dollars.

The group also avoids using affiliates, only working with a limited and trusted network. Despite its short existence, Black Basta has compromised several critical infrastructure organizations in multiple countries while remaining largely undetected.

Overall, Black Basta has maintained a low profile and uses similar tactics resembling those of other Russian-speaking threat actors such as Conti, FIN7, Evil Corp, or BlackMatter. The group used a more deliberate and targeted approach, calculatingly evaluating potential victims before launching attacks rather than relying on spray-and-pray tactics, HC3 stated.

For example, researchers have suggested that Black Basta could be an offshoot of the Russian-speaking RaaS threat group Conti or that it includes former members of the group. Conti is known for using RaaS to launch disruptive ransomware attacks targeting critical infrastructure, particularly in the health and public sectors. The group focuses on companies with over $100 million in annual revenue and specializes in double extortion operations, threatening to publish stolen data as blackmail.

Additionally, observers on the Dark Web have noted similarities between both data leak site infrastructures, payment methods, and communication styles. The last reason for the speculated link is a leaked Conti chat in February 2022 that implied that Conti operators might have attempted to evade law enforcement by rebranding and to operate under a new ransomware group.

Researchers have also observed connections between Black Basta and the Russian-speaking RaaS threat group FIN7, also known as Carbanak, Cobalt Group, or Carbon Spider. In June 2022, Sentinel Labs identified the first potential connection between FIN7 and Black Basta, indicating a trend toward hacktivist collaboration. 

Specifically, Black Basta was found to be using an Endpoint Detection and Response (EDR) evasion tool, known to be exclusively employed by its own members. Researchers discovered a backdoor within this EDR that was developed by FIN7 in 2018 and is still in use today. This same backdoor connects to an IP address regularly utilized by FIN7, further suggesting a possible link between the two groups.

In 2022, a joint investigation by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Secret Service (USSS) revealed that the Conti ransomware group was responsible for at least 16 cyberattacks on US healthcare entities.

The update stated that "Conti cyber threat actors remain active, and the number of reported Conti ransomware attacks against both US and international organizations has risen to over 1,000."