The Ascension health system said over the weekend it was continuing efforts to restore IT systems impacted by a ransomware attack that significantly disrupted care at its network of hospitals across the U.S.
While Ascension has not publicly attributed the attack to a specific cyber threat actor, a CNN report on Friday said the Black Basta ransomware group was believed to be responsible.
CNN’s report coincided with the publication of a joint cybersecurity advisory warning hackers affiliated to Black Basta had impacted over 500 organizations globally since it was first identified in April 2022.
In a Saturday update on the incident, Ascension said it could not give a timeline as to when restoration of its systems would be complete.
“We continue to diligently investigate and address the recent ransomware incident, working closely with industry leading cybersecurity experts to assist in our investigation and restoration and recovery efforts,” the organization said.
“While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites.”
The attack impacted Ascension’s electronic health records systems together with other systems used to order certain tests, procedures and medications. It forced medical staff to resort to using paper-based records to chart patient information.
“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately,” Ascension said.
The organization is the largest nonprofit and Catholic health system in the U.S., operating 142 hospitals and 40 senior care facilities across 19 states and the District of Columbia.
Black Basta targeting health sector, agencies warn
Friday’s advisory — co-authored by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) — said Black Basta affiliates had impacted a wide range of businesses and critical infrastructure in North America, Europe and Australia
Actors associated with the ransomware gang encrypted and stole data from at least 12 out of 16 critical infrastructure sectors, including the healthcare and public health sector.
“Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the advisory said.
Black Basta affiliates used common initial access techniques — including phishing and exploiting known vulnerabilities — when targeting organizations, the agencies said.
The threat actors then used a double-extortion model against their victims, both encrypting systems and exfiltrating data.
“Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser),” according to the advisory.
The ransom notes typically gave victims between 10 days and 12 days to pay the ransom before stolen data was published on the ransomware gang’s Tor leak site, Basta News.
Black Basta affiliates, along with a number of other threat actors, began exploiting a ConnectWise vulnerability (CVE-2024-1709) since February to obtain initial access, the agencies said. Researchers have described the flaw as a “trivial and embarrassingly easy” method of gaining administrative access.
On the same day the FBI, CISA, HHS and MS-ISAC published their advisory, the Health Information and Analysis Center (Health-ISAC) also posted an advisory warning that the ransomware gang had stepped up its attacks on the healthcare sector.
“Black Basta uses advanced techniques to evade detection by security solutions and hinder file recovery from backups. These include obfuscation and polymorphism, Living Off the Land (LotL), anti-analysis and sandbox detection, memory execution, disabling security solutions, and deleting backups,” the Health-ISAC alert said.
