Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

500+ organizations globally breached in Black Basta ransomware attack

500+ organizations globally breached in Black Basta ransomware attack


Federal agencies have raised concerns about Black Basta ransomware, uncovering breaches in more than 500 organizations.


What happened?

CISA and the FBI reported that Black Basta ransomware affiliates breached over 500 organizations between April 2022 and May 2024, encrypting and stealing data from at least 12 critical infrastructure sectors. The joint report, also involving the Department of Health and Human Services and the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlighted Black Basta's targeting of private industry and critical infrastructure across North America, Europe, and Australia. Notably, a recent ransomware attack on healthcare giant Ascension was linked to Black Basta, prompting heightened concern within the healthcare sector.

The gang emerged as a ransomware-as-a-service (RaaS) operation in April 2022 and has since breached many high-profile victims, including German defense contractor Rheinmetall, Hyundai's European division, U.K. technology outsourcing company Capita, industrial automation company ABB, the Toronto Public Library, the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada.

The federal advisory provides tactics, techniques, and procedures (TTPs) used by Black Basta affiliates, emphasizing the importance of keeping systems updated, implementing phishing-resistant multi-factor authentication (MFA), and training users to detect and report phishing attempts.

Healthcare organizations, in particular, are urged to apply the recommended mitigations due to their attractiveness to cybercriminals and the potential for significant disruptions to patient care. The advisory underscores the need for proactive measures to mitigate the risks posed by Black Basta and other ransomware attacks across critical infrastructure sectors.

Read alsoAscension Health falls victim to cyberattack, impacting 13.4 million


Going deeper 

Black Basta operates as a ransomware-as-a-service provider, allowing affiliates to deploy malware and run cyberattack campaigns in exchange for a percentage of the ransom payments. Most cyberattacks are initiated by exploiting known vulnerabilities and phishing campaigns.

Emerging in 2022, it is believed to have originated from a faction of the Conti cybercrime syndicate after Conti shut down in June 2022 following a series of data breaches.

The group utilizes tactics such as encrypting and stealing data from various sectors and has been linked to high-profile incidents like the ransomware attack on healthcare giant Ascension.


What was said?

In a joint report the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) disclosed that the Black Basta gang had encrypted and stolen data from at least 12 of the 16 critical infrastructure sectors.

In their cybersecurity alert, CISA said, "Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia." On the 10th of May, Health-ISAC (Information Sharing and Analysis Center) also issued a threat bulletin warning that the Black Basta ransomware gang "has recently accelerated attacks against the healthcare sector."

While the federal agencies didn't share what prompted their advisory, Black Basta has been linked to a suspected ransomware attack that hit Ascension Health, forcing the U.S. healthcare network to redirect ambulances to unaffected facilities.

The joint advisory also recommends that operating systems, software, and firmware be regularly updated; phishing-resistant MFA should be implemented wherever possible; and users should be trained to identify and report potential phishing attacks to reduce the risk of a ransomware attack from this group. Defenders are also advised to secure their remote access software by following CISA's recommendations and taking regular backups of device configurations and critical systems so repairs can be made more quickly if needed.

CISA and the FBI emphasized that "healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions."


In the know

Ransomware-as-a-Service (RaaS) is a model where cybercriminals create and distribute ransomware to other criminals. In this model, the creators of the ransomware (often technically skilled individuals or groups) provide the malicious software to affiliates or subscribers, who may have less technical expertise. These affiliates then use the ransomware to target individuals, businesses, or organizations, encrypting their data and demanding payment for decryption keys.


Why it matters

The emergence of RaaS operations like Black Basta exacerbates the threat landscape, allowing cybercriminals with varying levels of expertise to execute sophisticated attacks. This is demonstrated by the concerning surge and consequences of ransomware attacks orchestrated by Black Basta and similar groups. With over 500 organizations breached between April 2022 and May 2024, the scale of the threat is immense. 

The joint advisory from CISA, the FBI, and other agencies highlights the urgency for companies to reinforce their digital security procedures by keeping software up-to-date, installing multi-factor authentication mechanisms, and educating users on spotting phishing schemes.

See also: Paubox Weekly: Report reveals ransomware attacks reached record high in July



What is a ransomware attack?

A ransomware attack is a type of cyber attack where malicious software, known as ransomware, is deployed to infect a computer system or network. Once infected, the ransomware encrypts the victim's files or locks them out of their system, rendering them inaccessible. The attacker then demands a ransom payment, usually in cryptocurrency, in exchange for providing the decryption key or restoring access to the system.


Why are healthcare organizations at an increased risk of cyberattacks?

The healthcare industry faces diverse cyber threats that can have severe consequences for organizations and patients. The healthcare industry is an ideal target for cyber threat actors because of its vast amounts of sensitive data and critical infrastructure.

Learn more


What cyberattacks are common in the healthcare industry?

Healthcare organizations face a wide range of cyber threats that can compromise patient privacy, disrupt healthcare services, and result in financial losses or regulatory penalties. These include: 

  • Ransomware attacks
  • Phishing
  • Data breaches
  • Malware
  • Denial-of-service (DoS) attacks
  • IoT device vulnerabilities
  • Supply chain attacks 

Go deeperWhat are the most common cyberattacks in healthcare?

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.