Share this article on:
Ascension has announced that it’s beginning to restore its systems as it continues its investigation into a cyber attack it suffered last week.
The major US private healthcare organisation was forced to take some of its systems offline after it detected suspicious activity as a result of a “cyber security event”.
“At this time, we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts,” it said last week.
“Access to some systems have been interrupted as this process continues.”
Now, the group has revealed that a ransomware attack was the cause of the incident and said that it was “making progress” in restoring its systems.
“Ascension, with the support of leading cyber security experts, worked around the clock over the weekend to respond to the ransomware incident affecting our systems,” it said in its latest update.
“We are focused on restoring systems safely. We are making progress; however, it will take time to return to normal operations.
“As systems and services come back online, we will share those updates so that our patients and communities can plan accordingly.”
While Ascension failed to attribute the ransomware attack to a specific group, CNN has reported that Black Basta was responsible for the breach, citing sources saying that the threat actors used Black Basta ransomware, which has been used several times against US healthcare organisations.
Following the media attributing the Ascension attack to Black Basta, both the American Hospital Association (AHA), in conjunction with H-ISAC (Health Information Sharing and Analysis Centre), and the FBI have released advisories on Black Basta.
The AHA released its advisory following a push from H-ISAC, which provided a number of recommendations for hospitals defending against Black Basta.
“Recent actionable threat intelligence provided by our partners in the Health-ISAC and government agencies indicate that this known Russian-speaking group is actively targeting the US and global healthcare sector with high-impact ransomware attacks designed to disrupt operations,” said the AHA’s national adviser for cyber security and risk, John Riggi.
“It is recommended that this alert be reviewed with high urgency and the recommended technical mitigations be put in place. We anticipate additional threat intelligence in the near term, which will be further disseminated to the field.”
The H-ISAC advises that threat actors using Black Basta ransomware have previously abused vulnerabilities with a number of programs such as Fortra GoAnywhere MFT, ConnectWise ScreenConnect authentication bypass, VMware OpenSLP, Microsoft Windows privileges and more.
Similarly, the FBI advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Centre (MS-ISAC), warns that a number of businesses in the US, the EU and Australia had suffered attacks at the hands of Black Basta and that actors with connections to the group had targeted at least 12 of 16 critical infrastructure centres.
“Healthcare organisations are attractive targets for cyber crime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the advisory said.
The advisory also noted that the group is known for exploiting known vulnerabilities and phishing attacks to gain initial access before engaging in double extortion with the theft of data and encryption of systems.
“Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser),” the advisory said.