Cyber Attack Cripples Ascension Healthcare Systems | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Los Alamos
For the Los Alamos Daily Post

Currently in America your ambulance is most likely to be turned away from an Ascension Healthcare hospital because:

          1. You don’t have insurance, and they are going to drop you off in a WalMart parking lot instead;
          2. No money? No emergency room!;
          3. Aliens kidnapped all the doctors; or
          4. Ransomware attack!

If you guessed “4. Ransomware attack”, congrats!

Ascension is one of the largest private healthcare systems in the US, ranking second in the country by number of hospitals in 2019. They have a presence in 19 states and Washington, D.C., with over 142,000 employees and 142 hospitals.

They are the latest in a string of large healthcare providers to suffer a devastating ransomware attack. Ascension first detected “unusual activity” on their networks May 8, later determining it was due to a ransomware attack.

What services have been impacted by this attack? Everything from health records systems, patient portals used by patients to view their medical records, and phone systems were impacted by the breach. They have been forced to divert ambulances for emergency care, and have paused some non-emergency elective procedures, appointments and tests while it works through a response to the attack. Hospitals remain open and are providing care, but conditions at the hospitals are reported as being “chaotic” and a “crisis situation” as providers and nurses are forced to revert to manual and paper-based systems.

Think about it. How successful could you be at your job if all computer networks and business systems you rely on were down? Now think about how hard it would be to provide medical care in this situation, and you begin to grasp how dire this can be for patient care. It’s a mess for providers and patients.

How did this happen? Details as to the actual attack on Ascension are sketchy, but we do know the bad actors behind the attack, the Black Basta ransomware group. Black Basta is a native Russian speaking group that’s been active since 2022 operating under the RaaS model – that’s Ransomware as a Service. Their business model is- crime!

Basically, RaaS is a subscription to a software service to launch ransomware attacks. Fun.

The CISA (Cybersecurity & Infrastructure Security Agency) released a cybersecurity advisory Friday, May 10, about Black Basta, noting that the group has encrypted and stolen data from “at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.”

How do they execute these attacks? Per the CISA report:

“Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a. onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.”

Spoiler: If you don’t pay, your data will be dumped on their “shaming” site for all to see. And whether or not a ransom should be paid remains a hot topic of debate, as data is frequently leaked even with a ransom payment.

Research has shown a somewhat novel technique being used by Black Basta recently- flooding user inboxes with spam emails, in such volumes that they overwhelmed the email protection solutions in place. According to Rapid7 researchers, they “determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.” 

Example image from Ars Technica article.

The “in” here isn’t actually in the emails, it’s in the social engineering follow up by Black Basta. As the impacted users struggled under the blitz of spam emails, bad actors from Black Basta called the impacted users posing as an IT help desk employee from their organization, ready to assist with the flood of spam. The bad actors attempted to social engineer the users into providing them with remote access to their machine; if unsuccessful they’d move on until they were able to gain access. After success, the bad actors would run malicious scripts on the user’s host, posing as legitimate software updates, to install malware to allow for attacker command and control.

In addition to social engineering, Black Basta exploited unpatched vulnerabilities to gain a foothold in the target’s network.

Big takeaway here? Bad actors will use any resources they can to stress users to the point where they will fall for a social engineering attack. Educate your users about phishing and other social engineering techniques. The other takeaway- patch, patch, patch everything you can.

The Ascension Healthcare attack is an unfolding situation, and it will be interesting to see where it ends up, whether or not they pay the ransom, and if it will end in yet another data breach. Be aware of attackers and stay safe online!

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.


Click Here For The Original Source.


National Cyber Security