Black Basta Ransomware Attack Brought Down Ascension IT Systems: Report

On Friday, the nonprofit group Health-ISAC (Information Sharing and Analysis Center) issued an alert about the group, saying that Russia-linked Black Basta has ‘recently accelerated attacks against the healthcare sector.



A cyberattack that affected clinical operations at St. Louis-based Ascension health system was perpetrated by Russia-linked ransomware group Black Basta, according to a report.

CNN, citing four sources, reported Friday that the group was responsible for the data breach at Ascension Wednesday.

On Friday, the nonprofit group Health-ISAC (Information Sharing and Analysis Center) issued an alert about the group, saying that Black Basta has “recently accelerated attacks against the healthcare sector.

CRN has reached out to both Ascension and the U.S. Department of Health and Human Services, which has been aware of the group and issued its own alert in March 2023.

HHS said that Black Basta was initially spotted in early 2022, known for its double extortion attack. The group not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it should a victim fail to pay a ransom.

The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups,” the alert from HHS said.

According to one report from blockchain analytics firm Elliptic and cybersecurity risk-focused Corvus Insurance, Black Basta in less than two years has won itself more than $100 million via ransomware schemes from 329 organizations. Previous victims of its attacks include Dish Network, the American Dental Association, business process services firm Capita and tech firm ABB.

On Thursday, Ascension said that its electronic health records system was “currently unavailable” and that it was pausing some non-emergency elective procedures at its hospitals “out of an abundance of caution.

Ascension, a nonprofit and Catholic health system with 140 hospitals in the U.S., said Wednesday that it initially detected “unusual activity on select technology network systems.” In an update Thursday, Ascension referred to the data breach as a “cybersecurity incident” and said that it was working “around the clock with internal and external advisors to investigate, contain, and restore our systems following a thorough validation and screening process.” The nonprofit had already said that it was using Mandiant to assist in the investigation and remediation process.

The health system said in its latest update that it did not have a timeline for restoring its system.


Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel and Cobalt Strike (IOCs)

SHA-256 hashes and detection names

----------------------------------------------------------------

QAKBOT Loader

----------------------------------------------------------------

01fd6e0c8393a5f4112ea19a26bedffb31d6a01f4d3fe5721ca20f479766208f TrojanSpy.Win32.QAKBOT.SMYXCFJZ

2d1e93d28bf349a412bda7668536c4dc197cb12e020a5355f2d305ecac3ba458 Trojan.Win32.QAKBOT.YXCJJ

f56d25cf9f20f2040b2ec14f769f36aa14819f56f6b254c0831c9b2a024b8c8d Trojan.Win32.QAKBOT.YXCJD


QAKBOT ISO File

----------------------------------------------------------------

582a5e2b2652284ebb486bf6a367aaa6bb817c856f08ef54db64c6994c5b91bd Trojan.Win32.QAKBOT.YACIW 


QAKBOT ISO File

----------------------------------------------------------------

f32b4407f51f1407bf4261c49ad940712b0e3777a5f7365ba6b485a163361d3b Trojan.Win32.QAKBOT.YACJD

a0a0f07ffbede4772ef04ce7c7e98b77ad0d5e2b2f391d8d26dcc96c289469c4 Trojan.Win32.QAKBOT.YACJD


QAKBOT LNK File

----------------------------------------------------------------

e9e214f7338c6baefd2a76ee66f5fadb0b504718ea3cebc65da7a43a5ff819a4 Trojan.LNK.QAKBOT.YACIW

a0a0f07ffbede4772ef04ce7c7e98b77ad0d5e2b2f391d8d26dcc96c289469c4 Trojan.LNK.QAKBOT.YXCJJ


QAKBOT Script File

----------------------------------------------------------------

d44b05b248f95986211ab3dc2765f1d76683594a174984c8b801bd7eade8aa47 Trojan.BAT.QAKBOT.YACIW


QAKBOT JScript  File

----------------------------------------------------------------

06c4c4d100e9a7c79e2ee8c4ffa1f7ad165a014f5f14f90ddfc730527c564e35 Trojan.JS.QAKBOT.YACIW


QAKBOT VBS File

----------------------------------------------------------------

5510ff3cb4b8b344b0ee70b80266d3b497afd9ec423183917983e8bb36ff7c25 Trojan.JS.QAKBOT.YXCJJ


QAKBOT CMD File

----------------------------------------------------------------

e69c96fc8c81c12b9101fcb67e6811b3c46b9c79de7087ac34aa1f95be9c7c1a Trojan.Win32.QAKBOT.YXCJJ


Brute Ratel DLL

----------------------------------------------------------------

62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967 Backdoor.Win64.BRUTEL.YXCIW


Cobalt Strike DLL

----------------------------------------------------------------

ab88d558ff0ae35860f6ba1ceab6ec3302ace9dc7e957940c053f85b4dc17e78 Backdoor.Win64.COBEACON.YXCJE

726bce40d17b3f9b245af6b78251469b89cde4d3428187f5c11ed4c3f5b58ed4 Backdoor.Win64.COBEACON.YXCJE

a7d6cd8209eea40a9bcf32e923b7723d8724895f5d1084605a64651c3a811b03 Backdoor.Win64.COBEACON.YXCJE

94392d757ba3526c3dcd5c3ddcb3f005c6330ef075dc246d08a8b79e017c0c01 Backdoor.Win64.COBEACON.YXCJE

9efbc691d53ea9aa1eef245da23e197310bf266b0223ae1af8035bf854782edd Backdoor.Win64.COBEACON.YXCJE

c545541fecd97b2c46ab0c6db25a2f87b48ffadbd2c75ad65c7ce2781a8de491 Backdoor.Win64.COBEACON.YXCJE

a0adcd303fdff7747ab93df07b0722eab9890ba9deab7d322f077d6774ef6bc0 Backdoor.Win64.COBEACON.YXCJE

66ff672282b02f4796e006f2cfef125cccfd542b65eb3fbc728badf09cb94202 Backdoor.Win64.COBEACON.YXCJE

74da9610cb92a5a6fc15c856d3af73ff2b069f23d5a9712e48b6fd40b52fc744 Backdoor.Win64.COBEACON.YXCJE

6f9e9137a014b29f47722dbbb7a290eff11a9da3226af01bb2ecb78116dcb607 Backdoor.Win64.COBEACON.YXCJE

1751c378e2b14bd6238c3189e13501d191c117fdfe65e4e0ea1cb5829cce2bb9 Backdoor.Win64.COBEACON.YXCJE

QAKBOT HTML Page

----------------------------------------------------------------

16738ffeb00a849af4f24b6faee00d9d8e2b0247621d01718895dac5cc99fd8a Trojan.HTML.QAKBOT.YACJD


BRUTEL RATEL DLL

----------------------------------------------------------------

64a95de2783a97160bac6914ee07a42cdd154a0e33abc3b1b62c7bafdce24c0c Backdoor.Win64.BRUTEL.YACJD

54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d Backdoor.Win64.BRUTEL.YACJD

Brute Ratel EXE

----------------------------------------------------------------

01af5478e290bfcd23eeb39ff3af8802ab11a410038cae957ccb56de45d90ac0 Backdoor.Win64.BRUTEL.YACJD


Brute Ratel EXE

----------------------------------------------------------------

f2fe89d8de9dc29ddca56918beb652df1b3d44218bf5e084c4d0de7325ec54f5 Backdoor.Win64.BRUTEL.YXCJG


Black Basta related samples

----------------------------------------------------------------

31103788fae9b988d9d4362b848249b49ea60e15fc5982f26b13447064a13325 Ransom.Win32.BLACKBASTA.SMYXCEP

ce01002614eb7029131a73769db721ac68ef47989d7a8022980d3ae22c82b6f7 Ransom.Win32.BLACKBASTA.SMYXCEP

48976d7bf38cca4e952507e9ab27e3874ca01092eed53d0fde89c5966e9533bb Ransom.Win32.BLACKBASTA.SMYXCEP


URLs and IP Addresses

----------------------------------------------------------------


QAKBOT “BB” C&C servers

----------------------------------------------------------------

197[.]204[.]227[.]155:443

123[.]23[.]64[.]230:443

173[.]218[.]180[.]91:443

111[.]125[.]157[.]230:443

70[.]49[.]33[.]200:2222

149[.]28[.]38[.]16:995

86[.]132[.]13[.]105:2078

149[.]28[.]38[.]16:443

45[.]77[.]159[.]252:995

45[.]77[.]159[.]252:443

149[.]28[.]63[.]197:995

144[.]202[.]15[.]58:443

45[.]63[.]10[.]144:443

45[.]63[.]10[.]144:995

149[.]28[.]63[.]197:443

144[.]202[.]15[.]58:995

39[.]121[.]226[.]109:443

177[.]255[.]14[.]99:995

134[.]35[.]10[.]30:443

99[.]232[.]140[.]205:2222

180[.]180[.]132[.]100:443

86[.]176[.]180[.]223:993

41[.]98[.]11[.]74:443

196[.]64[.]230[.]149:8443

68[.]224[.]229[.]42:443

41[.]111[.]72[.]234:995

196[.]64[.]237[.]130:443

190[.]44[.]40[.]48:995

70[.]51[.]132[.]197:2222

88[.]232[.]207[.]24:443

115[.]247[.]12[.]66:443

189[.]19[.]189[.]222:32101

72[.]88[.]245[.]71:443

217[.]165[.]97[.]141:993

191[.]97[.]234[.]238:995

119[.]82[.]111[.]158:443

88[.]237[.]6[.]72:53

100[.]1[.]5[.]250:995

96[.]234[.]66[.]76:995

186[.]64[.]67[.]34:443

66[.]181[.]164[.]43:443

193[.]3[.]19[.]37:443

197[.]94[.]84[.]128:443

41[.]96[.]130[.]46:80

187[.]205[.]222[.]100:443

139[.]228[.]33[.]176:2222

88[.]245[.]168[.]200:2222

110[.]4[.]255[.]247:443

89[.]211[.]217[.]38:995


QAKBOT “Obama” C&C servers

----------------------------------------------------------------

23[.]225[.]104[.]250

186[.]125[.]93[.]28

149[.]126[.]159[.]254

189[.]79[.]27[.]174

41[.]96[.]18[.]5

197[.]204[.]126[.]136

105[.]108[.]255[.]165

41[.]105[.]54[.]8

78[.]162[.]213[.]155

154[.]183[.]135[.]35

41[.]108[.]175[.]56

94[.]52[.]127[.]44

160[.]179[.]220[.]87


Brute Ratel C&C servers

----------------------------------------------------------------

symantecuptimehost[.]com

sentisupport[.]com

near-org[.]top

teenieshopus[.]com


Cobalt Strike C&C servers

----------------------------------------------------------------

hxxps://fewifasoc[.]com  | 45.153.242[.]251

hxxps://hadujaza[.]com | 45.153.241[.]88

hxxps://himiketiv[.]com | 45.153.241[.]64

hxxps://davalibapa[.]com | 45.153.242[.]250


QAKBOT phishing domains

----------------------------------------------------------------

halasaloon[.]com

edmor-p[.]com

growin[.]ro

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more