BlackBasta Ransomware Hits Scrubs & Beyond, Compromising 600GB of Data

Incident Date: Jun 25, 2024

Attack Overview

VICTIM

Scrubs & Beyond

INDUSTRY

Retail

LOCATION

USA

ATTACKER

Blackbasta

FIRST REPORTED

June 25, 2024

Request Removal

Ransomware Attack on Scrubs & Beyond by BlackBasta

Overview of Scrubs & Beyond

Scrubs & Beyond, LLC, founded in 2000, is a leading retail company specializing in healthcare apparel and accessories. Headquartered in Scottsdale, Arizona, the company has grown to become the largest retailer of its kind in the United States, with an annual revenue of $211.1 million in 2024. The company employs 312 people and operates both an online store and physical retail locations across the country. Scrubs & Beyond offers a wide range of products, including scrubs, lab coats, footwear, and medical accessories, catering to healthcare professionals in various settings such as hospitals, clinics, dental offices, and veterinary practices.

What Makes Scrubs & Beyond Stand Out

Scrubs & Beyond aims to combine functionality with fashion, providing medical apparel that is both practical and stylish. The company carries products from well-known brands like Grey's Anatomy, Cherokee, and Dickies, as well as its own private label products. In addition to individual sales, the company offers group sales and customization services, allowing healthcare institutions to order uniforms in bulk and add personalized touches such as logos and name embroidery. Customer service is a key focus, with services like easy returns, size guides, and customer support through multiple channels.

Vulnerabilities and Targeting by Threat Actors

As a prominent player in the retail sector, Scrubs & Beyond is an attractive target for ransomware groups like BlackBasta. The company's extensive database, which includes human resources information, employee confidential data, personal documents, and departmental data from accounting and management, makes it a lucrative target for data exfiltration and extortion. The reliance on both online and physical retail operations also presents multiple attack vectors for cybercriminals to exploit.

Details of the Ransomware Attack

Scrubs & Beyond recently fell victim to a ransomware attack by the BlackBasta group. The attack compromised approximately 600GB of data, including sensitive information from various departments. The ransomware group used a double extortion tactic, encrypting critical data and threatening to publish it on their dark web leak site if the ransom was not paid. The attack has significantly impacted the company's operations and posed a severe risk to the confidentiality of employee and customer data.

About BlackBasta Ransomware Group

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group, sharing similarities in malware development and operational tactics. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand, employing highly targeted attacks rather than a broad approach. The group uses a double extortion tactic, encrypting victims' data and threatening to publish it if the ransom is not paid.

Penetration Methods

BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and purchasing network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploits vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, the group disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage.

Distinguishing Features of BlackBasta

BlackBasta distinguishes itself through its highly targeted attacks and sophisticated operational tactics. The group has targeted over 500 organizations worldwide, including critical infrastructure sectors. Financially motivated, BlackBasta has made up to $100 million in ransom payments from more than 90 victims since its emergence. The group continues to evolve its tactics, incorporating heavy obfuscation and randomized filenames to evade detection by endpoint detection and response (EDR) products.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.