BlackBasta Ransomware Attack on Ascension Health: Clinical Operations Disrupted

On May 8th, 2024, Ascension Health, one of the largest Catholic health systems in the U.S., became the victim of a ransomware attack by the BlackBasta group. The cyberattack caused widespread disruptions to clinical operations across Ascension’s network of hospitals and care facilities, severely impacting patient services. This incident highlights the vulnerability of healthcare providers to ransomware attacks and the increasingly aggressive tactics of cybercriminal groups like BlackBasta.

The Attack: BlackBasta’s Playbook

BlackBasta is a relatively new but highly active ransomware group that has been targeting various industries, including healthcare, with devastating consequences. In the case of Ascension Health, the group deployed its ransomware to encrypt critical healthcare systems, leading to the disruption of both administrative functions and clinical operations. The attackers followed their usual pattern of double extortion, threatening to leak sensitive patient and operational data if their ransom demands were not met.

It is believed that BlackBasta gained initial access to Ascension Health’s systems using a combination of phishing attacks and vulnerabilities in remote access services. Once inside, the attackers likely used lateral movement techniques such as T1021 – Remote Services to spread the ransomware across the organisation’s network.

The ransomware was activated to encrypt essential files and databases, locking healthcare providers out of their systems. The attack resulted in delays to medical procedures, the temporary unavailability of patient records, and the cancellation of non-emergency surgeries and appointments. While it’s unclear if Ascension chose to pay the ransom, the immediate effects on clinical operations were severe.

Technical Analysis: BlackBasta’s Tactics and Tools

BlackBasta’s ransomware is sophisticated and custom-built for high-impact environments like healthcare. The group employs advanced techniques such as:

1. Exploitation of Vulnerabilities: BlackBasta is known to exploit unpatched software vulnerabilities, particularly in remote access tools like VPNs and RDP (Remote Desktop Protocol). Vulnerabilities like CVE-2023-0669 in certain RDP configurations have been used by ransomware groups to gain access to healthcare systems. CVE-2023-0669 on NVD.
2. Encryption Mechanism: Once inside, BlackBasta utilises highly efficient file encryption algorithms, often leveraging T1486 – Data Encrypted for Impact. The ransomware rapidly encrypts large volumes of data, including electronic health records (EHR) and internal administrative files, leaving hospitals unable to access critical patient information.
3. Double Extortion: Like other ransomware groups, BlackBasta follows a double extortion model. After encrypting systems, they exfiltrate sensitive data and threaten to release it unless the ransom is paid. This gives the group leverage, even if the victim has backups, as they can still publish confidential data online. The technique used for data exfiltration often involves T1048.002 – Exfiltration Over Asymmetric Encrypted Non-C2 Protocol to avoid detection by security tools.
4. Obfuscation and Persistence: BlackBasta uses advanced obfuscation techniques to avoid detection by security software. Tools such as Cobalt Strike and PowerShell scripts are often employed to maintain persistence within the network. This is usually paired with T1059.001 – PowerShell to execute malicious scripts and maintain control over the compromised systems.

Impact on Ascension Health’s Operations

The attack significantly impacted Ascension Health’s ability to deliver patient care. Clinical operations, particularly those reliant on IT systems, were severely disrupted:

• Electronic Health Records (EHR) Inaccessibility: Hospitals could not access patient data, medical histories, or critical records, leading to delays in treatment and diagnosis. In some cases, healthcare providers were forced to revert to paper-based systems, which slowed down medical procedures and increased the risk of errors.
• Cancelled Appointments and Surgeries: Non-emergency surgeries were postponed, and appointments were cancelled as staff struggled to operate without their usual IT systems.
• Patient Safety Concerns: In healthcare, timely access to information can be a matter of life and death. The inability to retrieve patient data on demand heightened concerns about patient safety, as doctors were left to make decisions without access to full medical histories.
• Financial Costs: Beyond the immediate operational disruptions, the financial cost of the attack is expected to be substantial. In addition to potential ransom payments, Ascension Health faces costs related to system recovery, legal actions, fines, and the long-term reputational damage of a data breach.

BlackBasta: A Growing Threat to Healthcare

BlackBasta has quickly established itself as a significant ransomware threat, specialising in attacks on sectors like healthcare where downtime and data loss have critical consequences. The group uses a combination of sophisticated technical tactics and aggressive extortion strategies, making them one of the most dangerous ransomware operators targeting health systems today.

Healthcare organisations like Ascension Health are particularly vulnerable due to the sensitive nature of patient data and the high-stakes environment in which they operate. The reliance on interconnected systems across multiple facilities makes it difficult to isolate and contain such attacks once they have begun, further increasing the impact.

Preventive Measures for Healthcare Providers

While no system is immune to ransomware attacks, healthcare institutions can adopt several best practices to mitigate the risk and impact of ransomware attacks like BlackBasta’s:

1. Regular Backups: Maintaining frequent, secure backups of all critical systems is essential. These backups should be stored offline or in a secure cloud environment to prevent ransomware from encrypting them.
2. Network Segmentation: Segregating clinical and non-clinical networks can help contain an attack, ensuring that the spread of ransomware is limited to non-essential systems in the event of a breach.
3. Patch Management: Applying patches to vulnerable systems, especially remote access services like VPNs and RDP, is critical. Healthcare providers must stay on top of vulnerability management to protect against exploits like CVE-2023-0669.
4. Zero Trust Architecture: Implementing zero trust principles, where every request for access is verified before granting permissions, can help prevent lateral movement across networks once attackers gain a foothold.
5. Incident Response Plan: Healthcare providers should have a comprehensive incident response plan in place. This plan should include procedures for isolating ransomware infections, restoring backups, and communicating with patients and staff during an attack.
6. Phishing Awareness Training: Since many ransomware attacks begin with phishing, regular training for staff on how to recognise phishing emails is crucial.

The BlackBasta ransomware attack on Ascension Health highlights the increasing vulnerability of healthcare systems to cyberattacks. With patient care disrupted and critical data potentially compromised, the incident underscores the importance of investing in strong cybersecurity measures. As ransomware groups like BlackBasta continue to evolve their tactics, healthcare providers must remain vigilant and proactive in defending against these threats.

The stakes are high in healthcare, and attacks like these not only cause operational disruptions but also put lives at risk. Ascension Health’s experience is a reminder that the battle against ransomware is far from over, and healthcare institutions must continuously adapt their defences to stay ahead of the attackers.

Further Reading

• Healthcare and Ransomware: Understanding the Threat – CISA’s guide to ransomware in healthcare
• BlackBasta Ransomware: Techniques and Trends – An overview of BlackBasta’s ransomware operations from Dark Reading
• Managing Healthcare Cybersecurity Risks – The UK National Cyber Security Centre’s guidance on protecting healthcare infrastructure
• CVE-2023-0669: Remote Desktop Vulnerability – National Vulnerability Database entry for this common remote access vulnerability