US healthcare organization Ascension has revealed that an employee who downloaded a malicious file caused the ransomware attack it suffered last month.
Ascension announced on May 8 that it had taken some of its systems offline in response to suspicious activity it detected and concluded was the result of a “cybersecurity event.”
“At this time we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems. [has] “It has been paused while this process continues,” he said.
The company now announced that its investigation had progressed and had identified that the threat actor gained access after an employee downloaded what they believed to be a legitimate file that ended up being malicious.
“A person working at one of our facilities accidentally downloaded a malicious file that they thought was legitimate. “We have no reason to believe this was anything more than an honest mistake,” an Ascension spokesperson said in a statement issued June 12.
It also determined that threat actors did exfiltrate data.
“At this point, we now have evidence indicating that the attackers were able to take files from a small number of file servers used by our partners primarily for daily, routine tasks.
“These servers represent seven of the approximately 25,000 servers on our network.
“While we are still investigating, we believe that some of those files may contain protected health information (PHI) and personally identifiable information (PII) for certain individuals, although the specific data may differ from individual to individual.”
Ascension added that there was still nothing to indicate that the data was taken from its Electronic Health Records (EHR) or any other clinical system.
It is also currently conducting a full review of records it believes may have been affected and will analyze them to determine precisely what data was “potentially affected and for which patients.”
While Ascension did not attribute the ransomware attack to a specific group, CNN was quick to report that Black Basta was responsible for the breach, citing sources saying that the threat actors used Black Basta ransomware, which has been used multiple times against US healthcare organizations
After the media attributed the Ascension attack to Black Basta, the American Hospital Association (AHA), along with H-ISAC (Health Information Sharing and Analysis Center) and the FBI have published advisories about Black Basta.
The AHA released its advisory following the push from H-ISAC, which provided a series of recommendations for hospitals defending against Black Basta.
“Recent actionable threat information provided by our partners at Health-ISAC and government agencies indicates that this well-known Russian-speaking group is actively targeting the US and global healthcare sector with high-impact ransomware attacks designed to disrupt operations,” said the AHA national advisor. for cyber security and risk, said John Riggi.
“It is recommended that this alert be reviewed with great urgency and recommended technical mitigations implemented. “We anticipate additional threat intelligence in the near term, which will be further disseminated into the field.”
The H-ISAC warns that threat actors using Black Basta ransomware have previously abused the vulnerabilities with a number of programs such as Fortra GoAnywhere MFT, ConnectWise ScreenConnect authentication bypass, VMware OpenSLP, Microsoft Windows privileges, and more.
Similarly, the FBI advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multistate Information Sharing and Analysis Center (MS-ISAC) , warns that a number of companies in the US, EU and Australia had suffered attacks at the hands of Black Basta and that actors with connections to the group had attacked at least 12 of 16 critical infrastructure centres.
“Healthcare organizations are attractive targets for cybercriminals due to their size, technological dependence, access to personal health information, and the unique impacts of disruptions to patient care,” the advisory says.
The advisory also noted that the group is known for exploiting known vulnerabilities and phishing attacks to gain initial access before engaging in double extortion with data theft and system encryption.
“Ransom notes generally do not include an initial ransom demand or payment instructions. “Instead, the notes provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL (accessible through the Tor browser),” the notice says.