Ransomware Attack on Scrubs & Beyond by BlackBasta

Overview of Scrubs & Beyond

Scrubs & Beyond, LLC, founded in 2000, is a leading retail company specializing in healthcare apparel and accessories. Headquartered in Scottsdale, Arizona, the company has grown to become the largest retailer of its kind in the United States, with an annual revenue of $211.1 million in 2024. The company employs 312 people and operates both an online store and physical retail locations across the country. Scrubs & Beyond offers a wide range of products, including scrubs, lab coats, footwear, and medical accessories, catering to healthcare professionals in various settings such as hospitals, clinics, dental offices, and veterinary practices.

What Makes Scrubs & Beyond Stand Out

Scrubs & Beyond aims to combine functionality with fashion, providing medical apparel that is both practical and stylish. The company carries products from well-known brands like Grey's Anatomy, Cherokee, and Dickies, as well as its own private label products. In addition to individual sales, the company offers group sales and customization services, allowing healthcare institutions to order uniforms in bulk and add personalized touches such as logos and name embroidery. Customer service is a key focus, with services like easy returns, size guides, and customer support through multiple channels.

Vulnerabilities and Targeting by Threat Actors

As a prominent player in the retail sector, Scrubs & Beyond is an attractive target for ransomware groups like BlackBasta. The company's extensive database, which includes human resources information, employee confidential data, personal documents, and departmental data from accounting and management, makes it a lucrative target for data exfiltration and extortion. The reliance on both online and physical retail operations also presents multiple attack vectors for cybercriminals to exploit.

Details of the Ransomware Attack

Scrubs & Beyond recently fell victim to a ransomware attack by the BlackBasta group. The attack compromised approximately 600GB of data, including sensitive information from various departments. The ransomware group used a double extortion tactic, encrypting critical data and threatening to publish it on their dark web leak site if the ransom was not paid. The attack has significantly impacted the company's operations and posed a severe risk to the confidentiality of employee and customer data.

About BlackBasta Ransomware Group

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group, sharing similarities in malware development and operational tactics. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand, employing highly targeted attacks rather than a broad approach. The group uses a double extortion tactic, encrypting victims' data and threatening to publish it if the ransom is not paid.

Penetration Methods

BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and purchasing network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploits vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, the group disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage.

Distinguishing Features of BlackBasta

BlackBasta distinguishes itself through its highly targeted attacks and sophisticated operational tactics. The group has targeted over 500 organizations worldwide, including critical infrastructure sectors. Financially motivated, BlackBasta has made up to $100 million in ransom payments from more than 90 victims since its emergence. The group continues to evolve its tactics, incorporating heavy obfuscation and randomized filenames to evade detection by endpoint detection and response (EDR) products.

Sources

• Scrubs & Beyond Official Website
• LinkedIn - Scrubs & Beyond
• Infosecurity Magazine - BlackBasta Ransomware Victim