Russian cyber threat on U.S. healthcare deepens

The bottom line

Recent healthcare cyberattacks have shown how disruptive and widespread these attacks can be to operations patient care, so healthcare organizations should take these cyber threat alerts seriously and bolster defenses against these cybercriminal groups, which are predominantly Russian.

What happened

The Health Information Sharing and Analysis Center (Health-ISAC) — a trusted community of healthcare infrastructure owners and operators that monitors and advises industry and government stakeholders about cyber threats, incidents, and vulnerabilities — issued a high alert about Black Basta as one of the most active ransomware-as-a-service (RaaS) groups targeting healthcare.

Some news reports (CNN, Washington Post) have suggested the recent cyber incident disrupting the Ascension healthcare network was a Black Basta ransomware attack.

Health-ISAC’s collaboration partner the Health Sector Cybersecurity Coordination Center (HC3) published a Black Basta cyber threat report in Mid-March this year, detailing the group’s motivations (shocker: money) and common tactics, techniques, and procedures (TTPs).

Suspected to be an offshoot of the well-known Russian RaaS group Conti, Black Basta emerged in 2022 as a serious cyber threat actor. Health-ISAC warned this group uses double extortion tactics, encrypting victims’ data and threatening to release the protected data on their dark web (i.e. Tor) leak site called Basta News.

What it means

The cyber threat is serious and imminent. The warnings from Health-ISAC and HC3 indicate a significant risk for US healthcare providers becoming victims of Black Basta attacks. The recent incidents at Ascension and Change Healthcare highlight the potential consequences. These attacks can severely disrupt operations, damage patient care, and lead to the exposure of sensitive patient data.

Defenses need to be bolstered “yesterday.” Healthcare providers may need to invest heavily in cybersecurity measures to defend against attacks like these. This includes upgrading systems, improving data security protocols, and potentially implementing cyber insurance. As many ransomware attacks rely on infiltration via tricking authorized users or exploiting system and device vulnerabilities, providers need to educate staff on phishing and malware avoidance, and work with vendors and other partners to address vulnerabilities. Information sharing and collaboration with other industry organizations and cybersecurity experts is also advised.

Related information and resources

• CHIME federal government cybersecurity resources
• Cyberattack on Ascension system creates care disruptions
• Change Healthcare confirms ALPHV/BlackCat cyberattack
• Leaked Ransomware Docs Show Conti Helping Putin From the Shadows (WIRED)
• Congress interrogates UnitedHealth CEO over Change Healthcare cyberattack
• Change Healthcare stolen data appears on dark web
• Key takeaways from the Change Healthcare hearing
• CISA Alert on Conti Ransomware
• Building resilient cybersecurity approaches