Ransomware Attack on Healthcare Giant Ascension Affects 5.6 Million Individuals

In May 2024, Ascension Health, one of the largest healthcare systems in the U.S., fell victim to a ransomware attack affecting approximately 5.6 million individuals. The attack, which occurred on May 8, disrupted hospital operations nationwide, forcing many to implement downtime procedures and redirect emergency services.  

While most services were restored by mid-June, the attackers had already exfiltrated sensitive data, including protected health information (PHI) and personally identifiable information (PII). Ascension’s December 19 update revealed the completion of its investigation into the breach and announced that notification letters would be sent to affected individuals.  

The compromised data varied by individual but included names, addresses, dates of birth, Social Security numbers, medical records, insurance details, tax IDs, payment information, and more. Both patients and employees were impacted by the breach, Security Week reports.

As a non-profit, Ascension operates hundreds of hospitals and 40 senior living facilities, underscoring the significant scale of the breach and its potential long-term implications.

To assist victims, Ascension is offering one year of free credit monitoring and identity protection, along with a $1 million insurance reimbursement policy.  

Sources indicate the Black Basta ransomware group may have been involved, although no group has publicly claimed responsibility, suggesting a ransom may have been paid.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Black Basta, a Ransomware-as-a-Service (RaaS) group that emerged in early 2022, is believed to be an offshoot of the now-defunct Conti and REvil cybercrime gangs.  

The group is renowned for its aggressive tactics, technical sophistication, and focus on high-stakes targets in industries such as healthcare, manufacturing, finance, and telecommunications. Operating with a select group of vetted affiliates, Black Basta maintains tight operational control, enabling precise and highly effective attacks.

The group’s ransomware, written in C++, targets both Windows and Linux systems, leveraging advanced encryption techniques like ChaCha20 for data and RSA-4096 for key encryption.  

Black Basta is adept at exploiting vulnerabilities, including VMware ESXi, ConnectWise (CVE-2024-1709), and PrintNightmare, as well as using stolen credentials from Initial Access Brokers (IABs). They also exploit insecure Remote Desktop Protocol (RDP) configurations and deploy malware strains like Qakbot for initial access and lateral movement.

Black Basta employs a double extortion model, exfiltrating sensitive data and threatening to publish it if ransom demands—sometimes as high as $9 million—are not met. Their leak site serves as a pressure tactic to coerce payments, with an estimated 35% of victims succumbing.

Known for disabling security defenses using PowerShell commands and Group Policy Objects (GPOs), Black Basta’s meticulous and targeted approach, coupled with their ability to exploit vulnerabilities, has positioned them as a major force in the ransomware landscape.

Notable victims include Southern Water, BionPharma, M&M Industries, coca Cola, Yellow Pages Canada, AgCo, Capita, ABB, Merchant Schmidt, Tag Aviation, Blount Fine Foods.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.