Share this article on:
US healthcare organisation Ascension has revealed that an employee downloading a malicious file led to the ransomware attack it suffered last month.
Ascension announced on 8 May that it had taken some of its systems offline in response to suspicious activity it detected and concluded was the result of a “cyber security event”.
“At this time, we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems [has] been interrupted as this process continues,” it said.
The company has now announced that its investigation had progressed and had identified that the threat actor gained access after an employee downloaded what they believed to be a legitimate file that ended up being malicious.
“An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake,” an Ascension spokesperson said in a statement released on 12 June.
It also determined that the threat actors did exfiltrate data.
“At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks.
“These servers represent seven of the approximately 25,000 servers across our network.
“Though we are still investigating, we believe some of those files may contain protected health information (PHI) and personally identifiable information (PII) for certain individuals, although the specific data may differ from individual to individual.”
Ascension added that there was nothing yet to indicate that data was taken from its Electronic Health Records (EHR) or any other clinical systems.
It is also currently running a full review of the files that it believes may have been affected and will analyse them to determine precisely what data was “potentially affected and for which patients”.
While Ascension failed to attribute the ransomware attack to a specific group, CNN was quick to report that Black Basta was responsible for the breach, citing sources saying that the threat actors used Black Basta ransomware, which has been used several times against US healthcare organisations.
Following the media attributing the Ascension attack to Black Basta, the American Hospital Association (AHA), in conjunction with H-ISAC (Health Information Sharing and Analysis Centre), and the FBI have released advisories on Black Basta.
The AHA released its advisory following a push from H-ISAC, which provided a number of recommendations for hospitals defending against Black Basta.
“Recent actionable threat intelligence provided by our partners in the Health-ISAC and government agencies indicate that this known Russian-speaking group is actively targeting the US and global healthcare sector with high-impact ransomware attacks designed to disrupt operations,” the AHA’s national adviser for cyber security and risk, John Riggi, said.
“It is recommended that this alert be reviewed with high urgency and the recommended technical mitigations be put in place. We anticipate additional threat intelligence in the near term, which will be further disseminated to the field.”
The H-ISAC advises that threat actors using Black Basta ransomware have previously abused vulnerabilities with a number of programs such as Fortra GoAnywhere MFT, ConnectWise ScreenConnect authentication bypass, VMware OpenSLP, Microsoft Windows privileges and more.
Similarly, the FBI advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Centre (MS-ISAC), warns that a number of businesses in the US, the EU and Australia had suffered attacks at the hands of Black Basta and that actors with connections to the group had targeted at least 12 of 16 critical infrastructure centres.
“Healthcare organisations are attractive targets for cyber crime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions,” the advisory said.
The advisory also noted that the group is known for exploiting known vulnerabilities and phishing attacks to gain initial access before engaging in double extortion with the theft of data and encryption of systems.
“Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser),” the advisory said.