3 things you should know about the cybergang that attacked Ascension

Since its first appearance two years ago, the Black Basta ransomware group has quickly gained notoriety and is considered one of the biggest cybersecurity threats to healthcare organizations.

The cybergang is believed to be an offshoot of the notorious Russian cybercriminal group Conti. The group – responsible for the massive cyberattack on Ascension last month – has affected more than 500 organizations around the world, according to a May report from the Cybersecurity and Infrastructure Security Agency (CISA).

Below are three important pieces of information about this group of cybercriminals.

Typically, victims have less than two weeks to pay the group’s ransom.

Black Basta, first identified in April 2022, has attacked a wide range of organizations in North America, Europe and Australia, according to the CISA announcement.

The ransomware gang typically uses common techniques to initially gain access to its victims’ systems, such as phishing or exploiting known software vulnerabilities. From there, Black Basta uses a double extortion approach, meaning it encrypts its victims’ systems and exfiltrates the data.

Typically, the group’s ransom notes give victims 10–12 days to pay the ransom before their data is published.

In the first year and a half, the group extorted more than $100 million.

A report published in late November by currency tracking services Elliptic and Corvus Insurance found that Black Basta had stolen at least $107 million worth of bitcoins from more than 90 victims.

The average ransom payment was $1.2 million, according to the report. The highest ransom payment was $9 million, and at least 18 payments exceeded the $1 million mark.

The existence of cyber gangs like Black Basta requires providers to take more precautions than ever before.

When a large healthcare provider like Ascension is hit by a ransomware attack, staff often implements manual workarounds to continue patient care during the incident. But those workarounds can create additional security risks, Joel Burleson-Davis, senior vice president of worldwide development and cybersecurity at digital identity security company Imprivata, said in a recent interview.

“When normal systems are compromised, healthcare providers may resort to unsecured methods to access or share patient information, such as personal devices or manual records,” he explained. “These practices can increase the risk of data leaks and further compromise patient safety because they often bypass established security protocols designed to protect patient information.”

If an employee does not have access to secure communications systems and/or third-party services, there is a risk that they will disclose confidential information such as passwords or patient data via email, telephone or on paper.

This is risky not only because papers could be misplaced and employees’ phones and emails could be hacked, but also because there have been reports that cybercriminal groups such as Black Basta are using social engineering attacks, including voice phishing, to gain access to systems, Burleson-Davis explained.

“Without multi-factor authentication or other methods of identity verification, an employee seeking to maintain the flow of care may inadvertently expose the organization to even greater abuse by sharing information with third parties,” he noted.

Photo: WhataWin, Getty Images