After the ransomware attack on Ascension, authorities are raising the alarm against the Black Basta group

Multiple US government agencies warned that the Black Basta ransomware gang had targeted healthcare and 12 of the 16 critical infrastructure sectors.

In a statement Friday afternoon, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) said Black Basta attacked at least 500 organizations worldwide between April 2022 and May 2024.

According to authorities, the ransomware-as-a-service gang typically attacks organizations through phishing attacks and known vulnerabilities, but does not immediately provide ransom demands or payment information.

Victims receive a unique code and link to communicate with the ransomware gang. Many victims are given between 10 and 12 days to pay a ransom before stolen data is released.

The warning comes after CNN reported Thursday evening that four sources said Black Basta ransomware was behind the attack on nonprofit healthcare system Ascension.

The Catholic organization operates hundreds of hospitals across the U.S. and was forced this week to turn away ambulances, resort to paper records and cancel non-urgent appointments because of technology outages caused by the incident.

Multiple federal agencies, including HHS and the FBI, are involved in the recovery effort. An HHS spokesperson told Recorded Future News that the department is communicating with Ascension Leadership “to understand their efforts to minimize any disruptions to patient care.”

“This incident is an important reminder of the urgency to strengthen cybersecurity resilience in healthcare. “HHS encourages all providers, technology providers, payers and members of the healthcare ecosystem to strengthen cybersecurity,” they said.

ConnectWise error

The departments said Black Basta subsidiaries began exploiting CVE-2024-1709 in February, a vulnerability affecting ConnectWise’s ScreenConnect, which enables secure remote desktop access and mobile device support.

The flaw was immediately exploited by several ransomware gangs when it emerged and caused panic among managed service providers (MSPs) due to its widespread use.

Friday’s advisory warned that partners are also using tools like the SoftPerfect network scanner to scan networks for vulnerable tools. According to authorities, other vulnerabilities exploited by the group include ZeroLogon, NoPac and PrintNightmare.

Authorities specifically warned that healthcare organizations “represent attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and the unique impact of interruptions in patient care.”

HHS said last year that the group “may even be a rebrand of the Russian-speaking RaaS threat group Conti or may also be linked to other Russian-speaking cyber threat groups.”

Industry group Health-ISAC released its own advisory on Black Basta on Friday, saying data showed it had extorted at least $100 million since its creation.

“Last month, at least two healthcare organizations in Europe and the United States fell victim to Black Basta ransomware and suffered severe operational disruptions,” Health-ISAC said. “Taking these latest developments into account, Health-ISAC has concluded that Black Basta poses a significant threat to the healthcare sector.”

Black Basta has made bold attacks on the Dish Network, the American Dental Association, British outsourcing company Capita, Swiss technology giant ABB and German defense company Rheinmetall.

According to a report, it is the fourth most active ransomware variant since its creation in terms of the number of victims recorded in the last year.

The gang has information from organizations such as the Raleigh Housing Authority in North Carolina; a television advertising distribution and technology company jointly owned by the three largest U.S. cable operators; and Chile’s government.

Learn more.