Fresh Black Basta TTPs revealed as CISA says CNI hit
Ransomware group using "Backstab" to kill EDR processes.
Black Basta ransomware has hit companies in 12 out the US’s 16 critical infrastructure sectors since April 2022, federal agencies revealed.
The US lists 16 total critical infrastructure categories, including the chemicals sector, the “defence industrial base”, dams, and finance.
A joint advisory from four agencies including CISA and the FBI came as part of an ongoing #StopRansomware campaign that includes publishing information on cybercriminals' “Tactics, Techniques, and Procedures” (TTPs). and where possible sharing indicators of compromise (IOCs.)
This has included working with ransomware victims like Boeing (which faced a $200 million ransom demand after being hit by LockBit) to swiftly share IOCs and help others strengthen their defences as a result.
The agencies are calling for critical infrastructure and healthcare providers to apply a list of mitigations promptly to reduce risk.
What are the mitigations?
- Install updates for operating systems, software, and firmware as soon as they are released [CPG 1.E]. Prioritize updating Known Exploited Vulnerabilities (KEV).
- Require phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as possible.
- Implement recommendations, including training users to recognize and report phishing attempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
- Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software.
- Make backups of critical systems and device configurations [CPG 2.R] to enable devices to be repaired and restored.
- Apply mitigations from the joint #StopRansomware Guide.
Black Basta TTPs
The advisory also revealed that Black Basta associated groups have breached over 500 organisations since 2022. The most recent high-profile incident involving the group saw it hit a major healthcare provider called Ascension that runs over 140 hospitals nationwide.
See also: One of the US's largest hospital providers, Ascension, fired IT staff in a cost-cutting drive; now it’s sucking up a cyber attack
In their attacks, Black Basta affiliates are known for using predominantly phishing, but also exploiting exposed credentials and/or unpatched software vulnerabilities including CVE-2024-1709, CVE-2020-1472, CVE-2021-42278, CVE-2021-42287, and CVE-2021-34527.
The group has also been seen deploying an open-source tool called Backstab, which was created to disable endpoint detection and response (EDR) tooling by using a signed Microsoft process; part of a growing trend of using (sometimes custom-built) drivers to kill off EDR products.
Black Basta typically gives victims between 10 and 12 days to pay the ransom before the group publishes the stolen data on their TOR site, Basta News. The group was first seen using QakBot as an initial vector and have been building up their attacks, having been linked to 7.5% of confirmed ransomware attacks that took place in April 2024.
Attacks on healthcare organisations are being increasingly targeted with ransomware attacks nearly doubling in 2023.
“Healthcare organisations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.”
Black Basta, like many other ransomware attacks, has taken advantage of this. CISA have urged them and other attacked sectors to apply their recommendations to reduce attacks and have urged them to apply recommendations as advised by the CSA to reduce attacks.
CISA emphasises the importance of robust security measures for critical infrastructure operators, including regular patching, multi-factor authentication (MFA), and employee training. Last week the Biden administration suggested that it would “look to [put] in place minimum cybersecurity standards for hospitals in the near term,” according to Anne Neuberger, a senior cybersecurity advisor speaking to Bloomberg.
CISA’s full list of TTPs and IOCs is here.