FlagThis

BlackBasta ransomware group's attack on Ascension Health, one of the largest healthcare providers in the US, has been brought to light by leaked chat logs. The incident, which occurred in May 2024, significantly disrupted services and involved the exfiltration of 1.4TB of data and encryption of over 12,000 servers. The BlackBasta gang gained initial access months prior to deploying the ransomware, starting around November 2023, using phishing and password guessing techniques to compromise 14 email addresses of Ascension Health employees.

These leaked chat logs provide researchers a unique opportunity to understand the inner workings of the Russia-based cybercrime enterprise. The BlackBasta gang, consisting of former Conti ransomware members, exhibits similar operational structures. Veriti Research analyzed the leaked communications, revealing that BlackBasta exploited vulnerabilities in VMware ESXi, Microsoft Exchange, Citrix VPNs, and Fortinet firewalls, and Active Directory. The gang also uses cloud services for malware hosting and adjusts tactics to evade detection, while expressing frustration when EDRs, firewalls, and IP reputation monitoring disrupt their operations.

ImgSrc: blogger.googleu

References :

• blog.bushidotoken.net: BlackBasta Leaks: Lessons from the Ascension Health attack
• thecyberexpress.com: Black Basta Chat Logs Reveal Ransomware Group’s TTPs, IoCs
• VERITI: Inside the Minds of Cybercriminals: A Deep Dive into Black Basta’s Leaked Chats
• aboutdfir.com: Report on the attack on Ascension Health and the alleged involvement of Black Basta.
• ASEC: Description of the ransomware attack, its impact, and the potential ramifications for healthcare organizations.

Classification:

• HashTags: #Ransomware #Cyberattack #HealthcareSecurity
• Company: Ascension Health
• Target: Ascension Health
• Attacker: Black Basta
• Product: Ascension Health Network
• Feature: ransomware attack
• Malware: BlackBasta
• Type: Ransomware
• Severity: Disaster