HC3: Threat Profile Black Basta TLP CLEAR - March 15, 2023
Executive Summary
Black Basta was initially spotted in early 2022, known for its double extortion attack, the Russian-speaking group not only executes ransomware, but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it, should a victim fail to pay a ransom. The threat group’s prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access. The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups. Previous HC3 Analyst Notes on Conti and BlackMatter even reinforce the similar tactics, techniques, and procedures (TTPs) shared with Black Basta. Nevertheless, as ransomware attacks continue to increase, this Threat Profile highlights the emerging group and its seasoned cybercriminals and provides best practices to lower risks of being victimized.
Impact to HPH Sector
Having already attacked several health and public health sector organizations in 2022, Black Basta is a credible threat to the sector. In its first year alone, the group exclusively targeted U.S.-based organizations, seeking to purchase network access credentials for companies specifically located there. In these attacks, Black Basta not only affected the websites of specific health information technology, healthcare industry services, laboratory and pharmaceutical, and health plans organizations across multiple states, but also cumulatively stole several gigabytes of data on personal identifiable information (PII) for members of health organizations, their customers, and employees. Continued and future attacks on and unpatched critical vulnerabilities in the public health and healthcare systems sector could be potentially life threatening, the impact of which would be devasting to critical infrastructure.
View the detailed report below.
For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact: