Ascension has announced that it is beginning to restore its systems as it continues its investigation into a cyberattack it suffered last week.
The leading US private healthcare organization was forced to take some of its systems offline after detecting suspicious activity as a result of a “cybersecurity event”.
“At this time we continue to investigate the situation. “We responded immediately, initiated our investigation and activated our remediation efforts,” he said last week.
“Access to some systems has been interrupted while this process continues.”
Now, the group has revealed that a ransomware attack was the cause of the incident and said it was “making progress” in restoring its systems.
“Ascension, with the support of leading cybersecurity experts, worked around the clock over the weekend to respond to the ransomware incident that affected our systems,” it said in its latest update.
“We are focused on restoring systems safely. We are making progress; however, it will take time to return to normal operations.
“As systems and services come back online, we will share those updates so our patients and communities can plan accordingly.”
While Ascension did not attribute the ransomware attack to a specific group, CNN reported that Black Basta was responsible for the breach, citing sources who say the threat actors used Black Basta ransomware, which has been used multiple times against security organizations. US healthcare
After the media attributed the Ascension attack to Black Basta, both the American Hospital Association (AHA), along with H-ISAC (Health Information Sharing and Analysis Center), and the FBI have issued advisories about Black Basta .
The AHA released its advisory following the push from H-ISAC, which provided a series of recommendations for hospitals defending against Black Basta.
“Recent actionable threat information provided by our partners at Health-ISAC and government agencies indicates that this well-known Russian-speaking group is actively targeting the US and global healthcare sector with high-impact ransomware attacks designed to disrupt operations,” the AHA national official said. cyber security and risk advisor, John Riggi.
“It is recommended that this alert be reviewed with great urgency and recommended technical mitigations implemented. “We anticipate additional threat intelligence in the near term, which will be further disseminated into the field.”
The H-ISAC warns that threat actors using Black Basta ransomware have previously abused the vulnerabilities with a number of programs such as Fortra GoAnywhere MFT, ConnectWise ScreenConnect authentication bypass, VMware OpenSLP, Microsoft Windows privileges, and more.
Similarly, the FBI advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multistate Information Sharing and Analysis Center (MS-ISAC) , warns that a number of companies in the US, EU and Australia had suffered attacks at the hands of Black Basta and that actors with connections to the group had attacked at least 12 of 16 critical infrastructure centres.
“Healthcare organizations are attractive targets for cybercriminals due to their size, technological dependence, access to personal health information, and the unique impacts of disruptions to patient care,” the advisory says.
The advisory also noted that the group is known for exploiting known vulnerabilities and phishing attacks to gain initial access before engaging in double extortion with data theft and system encryption.
“Ransom notes generally do not include an initial ransom demand or payment instructions. “Instead, the notes provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL (accessible through the Tor browser),” the notice says.