BlackBasta Ransomware Hits Scrubs & Beyond, Compromising 600GB of Data
Incident Date:
June 25, 2024
Overview
Title
BlackBasta Ransomware Hits Scrubs & Beyond, Compromising 600GB of Data
Victim
Scrubs & Beyond
Attacker
Blackbasta
Location
First Reported
June 25, 2024
Ransomware Attack on Scrubs & Beyond by BlackBasta
Overview of Scrubs & Beyond
Scrubs & Beyond, LLC, founded in 2000, is a leading retail company specializing in healthcare apparel and accessories. Headquartered in Scottsdale, Arizona, the company has grown to become the largest retailer of its kind in the United States, with an annual revenue of $211.1 million in 2024. The company employs 312 people and operates both an online store and physical retail locations across the country. Scrubs & Beyond offers a wide range of products, including scrubs, lab coats, footwear, and medical accessories, catering to healthcare professionals in various settings such as hospitals, clinics, dental offices, and veterinary practices.
What Makes Scrubs & Beyond Stand Out
Scrubs & Beyond aims to combine functionality with fashion, providing medical apparel that is both practical and stylish. The company carries products from well-known brands like Grey's Anatomy, Cherokee, and Dickies, as well as its own private label products. In addition to individual sales, the company offers group sales and customization services, allowing healthcare institutions to order uniforms in bulk and add personalized touches such as logos and name embroidery. Customer service is a key focus, with services like easy returns, size guides, and customer support through multiple channels.
Vulnerabilities and Targeting by Threat Actors
As a prominent player in the retail sector, Scrubs & Beyond is an attractive target for ransomware groups like BlackBasta. The company's extensive database, which includes human resources information, employee confidential data, personal documents, and departmental data from accounting and management, makes it a lucrative target for data exfiltration and extortion. The reliance on both online and physical retail operations also presents multiple attack vectors for cybercriminals to exploit.
Details of the Ransomware Attack
Scrubs & Beyond recently fell victim to a ransomware attack by the BlackBasta group. The attack compromised approximately 600GB of data, including sensitive information from various departments. The ransomware group used a double extortion tactic, encrypting critical data and threatening to publish it on their dark web leak site if the ransom was not paid. The attack has significantly impacted the company's operations and posed a severe risk to the confidentiality of employee and customer data.
About BlackBasta Ransomware Group
BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group, sharing similarities in malware development and operational tactics. BlackBasta targets organizations in the US, Japan, Canada, the United Kingdom, Australia, and New Zealand, employing highly targeted attacks rather than a broad approach. The group uses a double extortion tactic, encrypting victims' data and threatening to publish it if the ransom is not paid.
Penetration Methods
BlackBasta employs several strategies to gain initial access to target networks, including spear-phishing campaigns, insider information, and purchasing network access. Once inside a network, the group uses tools like QakBot, Mimikatz, and exploits vulnerabilities to move laterally and harvest credentials. For maintaining control over compromised systems, BlackBasta uses tools like Cobalt Strike Beacons, SystemBC, and Rclone. Before encrypting files, the group disables security tools, deletes shadow copies, and exfiltrates sensitive data to maximize their leverage.
Distinguishing Features of BlackBasta
BlackBasta distinguishes itself through its highly targeted attacks and sophisticated operational tactics. The group has targeted over 500 organizations worldwide, including critical infrastructure sectors. Financially motivated, BlackBasta has made up to $100 million in ransom payments from more than 90 victims since its emergence. The group continues to evolve its tactics, incorporating heavy obfuscation and randomized filenames to evade detection by endpoint detection and response (EDR) products.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.