In a coordinated effort to combat the growing threat of ransomware, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory (CSA) detailing the tactics, techniques, and procedures (TTPs) of the Black Basta ransomware variant.
The advisory, published on May 10, 2024, is part of the ongoing #StopRansomware campaign, which aims to provide critical information to network defenders to help protect against ransomware attacks. Black Basta, a ransomware-as-a-service (RaaS) variant first identified in April 2022, has been targeting organizations across at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
According to the advisory, Black Basta affiliates have impacted over 500 organizations globally as of May 2024. The threat actors employ common initial access techniques, such as phishing and exploiting known vulnerabilities, before deploying a double-extortion model, encrypting systems and exfiltrating data. Victims are provided with a unique code and instructed to contact the ransomware group via a .onion URL, accessible through the Tor browser, to receive ransom demands and payment instructions.
The joint advisory emphasizes the attractiveness of healthcare organizations as targets for cybercrime actors due to their size, technological dependence, access to personal health information, and the potential for patient care disruptions. To mitigate the risk of Black Basta and other ransomware attacks, the authoring organizations urge HPH Sector and all critical infrastructure organizations to implement the recommendations outlined in the advisory, which align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).
Key mitigations include installing updates for operating systems, software, and firmware as soon as they are released, prioritizing the update of Known Exploited Vulnerabilities (KEV), requiring phishing-resistant multi-factor authentication (MFA) for as many services as possible, and implementing recommendations from joint phishing guidance to stop attacks at the initial phase.
The advisory also provides a comprehensive list of indicators of compromise (IOCs), including malicious files, network indicators, and known Black Basta Cobalt Strike domains, to help organizations detect and respond to potential Black Basta infections.
FBI, CISA, HHS, and MS-ISAC encourage organizations to promptly report ransomware incidents to the appropriate authorities, regardless of whether they have decided to pay the ransom. The authoring organizations emphasize that paying the ransom does not guarantee the recovery of files and may encourage further criminal activity.
As the threat of ransomware continues to evolve, the joint advisory serves as a crucial resource for organizations seeking to enhance their cybersecurity posture and protect against the devastating impact of Black Basta and other ransomware variants. By implementing the recommended mitigations and staying vigilant, organizations can significantly reduce their risk of falling victim to these increasingly sophisticated attacks.