{ "id": "1562c654-93f4-476e-b16d-19cfb79e063b", "created_at": "2026-04-06T00:12:50.422821Z", "updated_at": "2026-04-10T03:29:39.998368Z", "deleted_at": null, "sha1_hash": "d75f5d4fd9b5e6b28be2351193138c2e449f95cb", "title": "BlackBasta Leaks: Lessons from the Ascension Health attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2942345, "plain_text": "BlackBasta Leaks: Lessons from the Ascension Health attack\r\nBy BushidoToken\r\nPublished: 2025-02-27 · Archived: 2026-04-05 17:31:57 UTC\r\nThe BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating\r\nopportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime\r\nenterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove\r\nof intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members\r\nand it should come as no surprise that their operations are similar in nature and structure.\r\nRansomware researchers have several valuable resources to conduct investigations with nowadays. This includes\r\nransomware.live, which contains several resources including ransomch.at, a collection of negotiation chats\r\nbetween ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability\r\nmatrix. These resources allow to deeply understand the capabilities and motivations of these ransomware gangs.\r\nHowever, leaked chat logs are the final missing piece of the puzzle and offer a deeper understanding from the\r\ncybercriminal’s very own perspective and organisational structure.\r\nActive since April 2022, BlackBasta is one of the top-tier ransomware gangs and one of the largest cybercrime\r\nenterprises in the world. According to the US Cybersecurity Infrastructure and Security Agency (CISA),\r\nBlackBasta impacted up to 500 different businesses and critical infrastructure in North America, Europe, and\r\nAustralia as of May 2024.\r\nThe importance of the Ascension Health incident\r\nThis blog shall dive deep into the Ascension Health attack by BlackBasta. It is a step-by-step extraction of the\r\nconversation between the BlackBasta members while they decide how to handle the attack.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 1 of 15\n\nThe new insights around how BlackBasta and other ransomware gangs perceive being involved with incidents at\r\nhealthcare sector victim should prove useful for incident responders, law enforcement, and governments that have\r\nto resolve these types of attacks on the healthcare sector on an alarmingly regularly basis.\r\nBackground\r\nOn 9 May 2024, mainstream news organisations in the US reported about a cyberattack and significant disruption\r\nof services of Ascension Health, one of the largest healthcare providers in the country. On 11 May 2024,\r\nBleepingComputer reported that BlackBasta was to blame for the attack on Ascension Health and that ambulances\r\nhad been disrupted and patients were being redirected to other hospitals.\r\nHow the Incident Began\r\nThe BlackBasta attack on Ascension Health began many months before the ransomware was deployed on their\r\nnetwork. Reconnaissance of Ascension Health by members of BlackBasta began around 3 November 2023. They\r\nshared 14 email addresses of Ascension Health employees, which we can only assume were used for phishing or\r\npassword guessing. Ransomware gangs often used Zoominfo to profile their targets to determine whether it is\r\nworth it for them to attack and get a ransom from them.\r\nThe ransomware gang themselves wrote in their Matrix chat that CBS News had written about a cyberattack on\r\nAscension Health on 9 May 2024 and exclaimed that “it looks like one of the largest attacks of the year.”\r\nAnother BlackBasta member “gg” confirmed in the chat that it was them and appeared to be surprised that the\r\nnews was writing about it.\r\nLater, “gg” appeared to feel bad about the attack and concerned that cancer patients were suffering. However, at\r\nthis stage it is hard to tell if they are serious or being sarcastic.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 2 of 15\n\nOne member of BlackBasta who used the moniker “tinker” then stated that he wanted to be the negotiator for the\r\nBlackBasta team and began to strategize how to extract a ransom payment.\r\n“gg” says they encrypted Ascension Health’s network using the Windows Safe Mode Boot technique, which is a\r\nfunction that BlackBasta is well-known to do.\r\nThe negotiator, “tinker” begins to weigh up their options. He states he believes the FBI and CISA will be\r\ninvolved, as well as Mandiant and begins to compare the incident to the Change Healthcare attack by\r\nALPHV/BlackCat (and later RansomHub) who received a 22 million USD ransom payment.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 3 of 15\n\n“gg” shares that all the stolen data was put on a server named “ftp8” and tagged as “ALBIR_DS” and says to\r\n“tinker” that he should “look at the folder name, everything we downloaded from them is there.\"\r\nThe operator, “gg” also shared a summary of the target environment of Ascension Health. This includes number of\r\nservers being over 12,000, what security tools they use such as Cylance, Tanium, and McAfee. Plus, “gg” said\r\nthey downloaded over 1.4TB of data to \"ftp8\" and used BlackBasta ransomware version 4.0 and attacked them on\r\n8 May 2024.\r\nInterestingly, “gg” appears to have also recommended to bluff to the victim that they stole more than 1.5TB and\r\nsay to the victim that they stole 3TB instead.\r\nNegotiation Strategizing\r\nAfter having established the details of the incident, Tinker (the negotiator) began to wonder about the likelihood\r\nof getting a ransom payment as well as estimate how much Ascension Health is likely losing per day.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 4 of 15\n\nTinker (negotiator) then explains to the rest of the BlackBasta members involved in the attack what course of\r\naction they should take to get the ransom from Ascension Health. Tinker says they would normally set a 3% of the\r\nannual revenue and negotiate from there. They note that there are clear problems with the victim being a hospital\r\nand that this attack followed the Change Health attack by ALPHV/BlackCat. They also noted that they are worried\r\nas they believe the US National Security Agency (NSA) attacked TrickBot's servers four years ago and that the\r\nFBI took down Qakbot more recently. Tinker is  also worried that one of Ascension Health’s patients will die and\r\nthey will be blamed and labelled as a terrorist attack.\r\nTinker also noted that when BlackSuit attacked Octapharma that it was labelled by the news as \"hostile actions by\r\nRussia\" and they warned that Conti was already under sanctions and that because they are tied to Conti they may\r\nnot get paid.\r\nTinker, ransomware negotiator for BlackBasta, ultimately recommended giving the decryptor for free to\r\nAscension Health and resorting to data theft extortion. This is notable, as it is a similar situation to the Irish HSE\r\nransomware attack by Conti, who also provided the decryptor for free.\r\nHealthcare Impact\r\nThe fact Ascension Health is a major medical organisation with many patients appeared to take its toll on the\r\nBlackBasta members. Tinker wrote in the BlackBasta chat they he found a post on Reddit by a doctor that works\r\nfor Ascension Health who described the damage of the attack.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 5 of 15\n\nAnother member of BlackBasta, “nn” also found out that Ascension Health is a group of hospitals. He\r\nimmediately recommends giving them a decryptor for free.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 6 of 15\n\nInterestingly, “gg” compares the attack on Change Health and also recognises Mandiant and warns that the FBI\r\nand CISA will be involved. Plus, “gg” noted that they did not encrypt via virtualization (such as vCenter, ESXi or\r\nHyper-V) and reconfirmed they used Safe Mode Boot. Further, “gg” was also inclined to give Ascension the\r\ndecryptor for free too.\r\nAnother BlackBasta member, “nickolas” comments about the situation. He warned and was particularly concerned\r\nabout law enforcement retaliation, such as hacking back, sanctions, indictments. He recommended auditing the\r\nentire infrastructure and having a rebrand of the BlackBasta name, which means changing the ransomware, leak\r\nsite, and other personas.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 7 of 15\n\nTinker (negotiator) is aware however of the risk of someone dying and how it will impact their chances of getting\r\nthe ransom.\r\nTinker also discussed the politics of the scenario. He compared the situation to the colonial pipeline incident of\r\n2021. He mentioned how Russia reacted and arrested ransomware operators. He also brought up the war in\r\nUkraine and how ransomware attacks on the US impact the politics with Russia.\r\nTinker highlighted that the ransomware was used to encrypt patient data and how it caused the hospital\r\nmanagement system to crash. He was particularly concerned about the ambulances being unable to operate but\r\nalso tries to minimize the severity of the incident. Nevertheless, he asked to see the stolen data himself to get a\r\nbetter understanding of what data BlackBasta operators have that they can leverage against Ascension Health.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 8 of 15\n\nBy the end of deliberations, Tinker recommends giving a free decryptor and then demand a ransom for the stolen\r\ndata.\r\ntinker edited his message to then clarify that he reckons they should demand a ransom in the 10s of millions USD\r\nor over 100 million USD.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 9 of 15\n\nRansomware Negotiations\r\nThe operator “gg” then shared the opening message to Ascension Health shared via the Black Basta negotiation\r\nportal:\r\nThe negotiator for Ascension Health (who BlackBasta believes is Mandiant) replied to the negotiation chat portal:\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 10 of 15\n\n“gg” then clarified the terms of the ransom demand. A payment will be needed to delete and share the stolen data\r\nHe maintains the offer to provide a free decryptor:\r\nThe negotiator for Ascension Health asked for the decryption tool:\r\nThe decryptor was then provided to Ascension Health:\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 11 of 15\n\nLater, “gg” then shares a file tree for \"\"DS\"\" (which is equal to Ascension Health). The file is added to a ZIP and\r\nshared via a temp[.]sh link and is password protected:\r\nThe operator “gg” then uses Privat (a screenshot sharing site) to show the proof that they have deleted the data of\r\nAscension Health:\r\nFrom these messages, it appears no ransom was paid and BlackBasta returned the data and deleted it.\r\nChange of Heart\r\nThe most interesting part of this engagement with Ascension Health by BlackBasta was that the members\r\ndeliberated back and forth about whether to provide a free decryption tool but all appeared to be fine with\r\ndemanding a ransom for the victim data.\r\nThe operator “gg” appears to have a change of heart. He exclaims that they (the members of the BlackBasta\r\nransomware gang) are \"pentesters\" and not \"killers\" and claims he “held a meeting in the office” which is\r\ninteresting as it further proves they are a cybercrime enterprise, potentially with full-time employees.\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 12 of 15\n\nThe operator “gg” decided to help Ascension Health and requests not to work on hospitals anymore.\r\nHe also said “the software will fly to the trash” which likely means the group was thinking of ditching the brand\r\nof BlackBasta and rebrand to another name. Finally, “gg” warns other BlackBasta members not to target hospitals\r\nany more:\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 13 of 15\n\nAccording to the HIPAA Journal, the personal data of up to 5.6 million patients was exposed and Ascension\r\nconfirmed that some patient data was stolen during the attack. Ascension said that it found no evidence that the\r\nransomware group gained access to electronic health records or other clinical systems, so full medical histories\r\nhave not been stolen. During the attack, however, Ascension was forced to divert ambulances, close pharmacies,\r\ntake critical IT systems offline and resort to pen and paper to record patient information. The attack affected a\r\nlarge percentage of its 136 hospitals across the US and took Ascension around 6 weeks to restore access to its\r\nelectronic medical record system and resume normal operations. The ransomware attack reportedly caused delays\r\nin revenue cycle processes, claims submission, and payment processing, in addition to significant remediation\r\ncosts.\r\nLessons Learned\r\nThis chat log confirms that BlackBasta attacked Ascension Health using version 4.0 of their ransomware and used\r\nthe Safe Mode Boot technique on 12,000 endpoints of the healthcare system.\r\nIf reconnaissance began on 3 November 2023 and the attack happened on the 8 May 2024, that would make the\r\namount of time they took to gain access and deploy the ransomware was up to 187 days long or around six\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 14 of 15\n\nmonths. Due to this, cybercriminal campaign appears to be comparable to a more focused state-sponsored level\r\nintrusion where months of planning and numerous attempts are made to infiltrate a target.\r\nThe BlackBasta negotiator, Tinker, believed that they were going to get a very high ransom payment in the 10s of\r\nmillions or up to 100 million USD and compared the attack to the Change Health incident by ALPHV/BlackCat\r\nwho got 22 million USD.\r\nThe high ransom payment by Change Health has appeared to be like a dinner bell for ransomware gangs to go\r\nafter other healthcare sector victims. Paying the ransom as a healthcare organisation clearly has significant\r\ndownstream impact on the rest of the industry and it should be an absolute last resort and default to be to never\r\npay the ransom.\r\nThere was an interesting change of heart and moment where the operator “gg” decided to give up on the\r\nAscension Health attack, provide them a decryptor, provide the data back to them, and share proof that they\r\ndeleted it. The members of BlackBasta were clearly concerned about hack-backs from law enforcement or\r\nintelligence services, as well as sanctions and deanonymization. The BlackBasta team also mentioned several\r\ntimes during this incident that they were going to have to rebrand because of the attack.\r\nOverall, this incident goes to show that even Russia-based cybercrime enterprises with dozens of members remain\r\nparanoid about being attack by law enforcement and intelligence services. It is really interesting that they\r\nthemselves admit that their actions warrant such a response.\r\nOne of the key lessons to learn from this engagement is that if a healthcare organisation is attacked by a\r\nransomware gang, then it would be a valid strategy to tell the news about the incident. News about patients lives\r\nbeing at risk and dying will get the attention of these ruthless cybercriminals who will realise the mistakes they\r\nmade and are potentially likely to at least provide a free decryptor and may give up entirely on their ransom\r\npayment pursuit and move on to the next target.\r\nLastly, these chat logs appear to prove that the West’s policies aimed at increasing pressure on Russia-based\r\nransomware gangs is evidently working. These organised cybercrime enterprises are beginning to alter their\r\ntargeting behaviour as a result to avoid the wrath of law enforcement retaliation.\r\nSource: https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nhttps://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html" ], "report_names": [ "blackbasta-leaks-lessons-from-ascension.html" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d75f5d4fd9b5e6b28be2351193138c2e449f95cb.pdf", "text": "https://archive.orkl.eu/d75f5d4fd9b5e6b28be2351193138c2e449f95cb.txt", "img": "https://archive.orkl.eu/d75f5d4fd9b5e6b28be2351193138c2e449f95cb.jpg" } }