What is Black Basta, thought to be behind the Ascension ransomware attack?

A ransomware attack on Ascension, one of the largest nonprofit health systems in the country, has left critical computer systems crippled for more than two weeks, with no clear end in sight.

The cyberattack, which has resulted in major disruptions at Ascension hospitals and clinics in Wisconsin and across the country, reportedly involved a type of ransomware called Black Basta, according to CNN, which cited four anonymous sources briefed on the investigation into the attack.

Ascension has given no timeline for when the systems impacted by the May 8 cyberattack will be restored. Health care workers at Ascension locations still cannot access the electronic medical records system, called Epic, critical for documenting patients' history, current medications and allergies and keeping track of their conditions. Systems used to communicate across hospital departments, order labs and tests and prescribe medications also are not working like they used to.

In the days immediately following the Ascension hack, the FBI and other federal entities concerned with cybersecurity issued a joint advisory, warning about Black Basta and providing instructions on how to protect against it and the group of cyber criminals known by the same name.

Here's what we know about Black Basta.

What is Black Basta, believed to be behind the Ascension ransomware attack?

Black Basta is a group of cyber criminals thought to be an offshoot of a now-defunct Russian group of hackers known as "Conti." Black Basta reportedly raked in more than $100 million in bitcoin since it emerged in early 2022, according to a November joint report from digital currency tracking service Elliptic and Corvus Insurance.

Black Basta is also the name of a type of ransomware used to encrypt victims' computers, rendering them unusable. Hackers can then extort victims by demanding money in return for access to the computer systems.

More: Ascension Wisconsin patients navigate uncertainty, delays and faxes in cyberattack's wake

How does Black Basta work?

Hackers use a number of techniques to get into their targets' computer systems, including:

Exploiting known vulnerabilities in software and hardware.
Sending phishing emails, which are designed to look legitimate and to get the recipient to click on a hyperlink, open an attachment or do something else to hand over the recipients' credentials or expose their system to malware.

There is evidence to suggest Black Basta uses stolen credentials, bought on the dark web, to get into organizations' systems, according to the U.S. Department of Health and Human Services, or HHS. The dark web is a part of the Internet only accessible through a specialized web browser that keeps users anonymous.

Once they've infiltrated a system, Black Basta hackers move about and explore the computer network, gaining higher-level access, to find and steal sensitive data, according to a joint advisory issued this month by the FBI, HHS, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center. They then use ransomware to lock their targets out of their systems.

The hackers often use what's called "double extortion," in which they demand a ransom payment to unlock the target's systems and then demand more money not to release stolen, sensitive data.

Ransom notes do not generally include an initial ransom demand or payment instructions, according to the joint advisory. Instead, the notes give victims a unique code and instruct them to contact the ransomware group on the dark web. Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes stolen data on the dark web, according to the advisory.

The FBI does not support paying a ransom, and paying up is not a guarantee that the victim will recover their data or that their systems will be restored.

More: What we know about the cyberattack on Ascension hospitals and clinics in Wisconsin, across the U.S.

Who does Black Basta target?

The group has targeted and hacked organizations from all kinds of industries, including construction, manufacturing and communications. Black Basta victims include Dish Network, the British outsourcing company Capita and Swiss tech company ABB, according to Elliptic, the digital currency tracking service that put out the November joint report on Black Basta.

Hacking groups like Black Basta have recently ramped up attacks against the health care sector, according to an advisory issued this month by the Health Information Sharing and Analysis Center.

Health care organizations are attractive targets for cyber criminals because of their size, their heavy reliance on technology, their access to lots of personal health information and the "unique impacts from patient care disruptions," according to the advisories. Health care organizations also are perceived as likely to pay ransoms and as having weak protections against cyberattack, according to a February PowerPoint from HHS.

The American Hospital Association, the industry group representing health systems, urged hospitals to share information with their IT and cyber infrastructure teams about Black Basta.

“This known Russian-speaking ransomware gang is actively targeting the U.S. and global health care sector with high-impact ransomware attacks designed to disrupt operations,” John Riggi, the group's national advisor for cybersecurity and risk, said in a news release.

“It is recommended that this alert be reviewed with high urgency and the identified ransomware signatures be immediately loaded into network defenses and threat hunting tools. It is also recommended that the identified cyber risk mitigation practices be implemented as soon as feasible," he said.

Was Black Basta behind the recent Change Healthcare attack?

No. There are many other hackers who also target the health care sector. The ransomware group BlackCat/ALPHV claimed responsibility for the recent attack on Change Healthcare, part of health giant UnitedHealth Group, one of the worst hacks to hit U.S. health care, according to a report to Congress by the Congressional Research Service.

Following an FBI campaign to disrupt BlackCat's operations, BlackCat declared that it would retaliate against the United States by targeting health care providers with ransomware, according to the report to Congress.

Reuters contributed to this report.

This article originally appeared on Milwaukee Journal Sentinel: What is Black Basta, thought to be behind the Ascension cyberattack?

What is Black Basta, thought to be behind the Ascension ransomware attack?

What is Black Basta, believed to be behind the Ascension ransomware attack?

How does Black Basta work?

Who does Black Basta target?

Was Black Basta behind the recent Change Healthcare attack?

AOL Editor Picks

You can get a 2022 MacBook Air at a record-low $829 today, and it's selling fast

Are AirTags worth it? If you plan to travel this summer, we think so.

Buzz off! This highly rated bug trap will eliminate annoying pests and is more than 50% off at Walmart today

In Other News

Jodie Turner-Smith weighs in on ex-husband Joshua Jackson and Lupita Nyong'o's rumore…

Bruce Willis celebrated as 'favorite girl dad' on Father's Day by wife Emma and ex De…

Can the stars predict the stock market? Gen Z thinks so

Cocoa prices are soaring. Candy makers will need to get creative

You’ll never guess the secret ingredient in this berry bread pudding recipe

40 sizzlin' summer dinner ideas

Family completes dad's dream of visiting every MLB stadium, sons get to throw out fir…

I've traveled to over 80 countries by myself. Here are 8 things I do to stay safe

US Open live updates: Bryson DeChambeau reclaims sole possession of lead on back nine

Indiana Fever vs. Chicago Sky recap: Caitlin Clark wins showdown with Angel Reese

Tropical rainstorm to bring deluge of rain to Texas, Louisiana

Daily bouts of severe weather to provide no rest for the storm-weary central US

Related articles

Related articles

Related articles