Update May 10, 2024, 6:06 pm ET.
New indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) were made available through a joint Cybersecurity Advisory (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA). Health-ISAC is sharing the updated information for overall awareness and action. The Health-ISAC bulletin, plus this CSA serves as a reminder of the recent Black Basta ransomware activity, whose actors have encrypted and stolen data from at least 12 of the 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
TLP WHITE - 2c4e32a6 - UPDATE_ Black Basta Threat Actor Emerges as a Major Threat to the Healthcare Industry
The notorious ransomware group, Black Basta, has recently accelerated attacks against the healthcare sector. Health-ISAC is urging all Healthcare and Public Health (HPH) sector entities to review this threat bulletin and follow the recommended actions below.
May 10, 2024.
Black Basta emerged in early 2022 and quickly became one of the most active ransomware-as-a-service
(RaaS) threat actors. They use double extortion tactics, encrypting victims’ data and threatening to leak
sensitive information on their public leak site on Tor, named Basta News. The group has allegedly extorted
over 100 million dollars since its emergence, making it one of the most prolific active ransomware strains.
The threat actor is financially motivated and has opportunistically targeted the healthcare sector as a part of
their malicious operations. In the past month, at least two healthcare organizations, in Europe and in the
United States, have fallen victim to Black Basta ransomware and have suffered severe operational
disruptions. Taking these latest developments into consideration, Health-ISAC has assessed that Black
Basta represents a significant threat to the healthcare sector. Members are strongly advised to keep an eye
on the threat actor and their tactics, techniques and procedures (TTPs).
Black Basta’s malware, written in C++, targets both Windows and Linux systems. It encrypts data using
ChaCha20 and RSA-4096 and attempts to delete shadow copies and backups.
Please see the PDF for the full bulletin.