Blackbasta gang claimed responsibility for Synlab Italia attack

The Blackbasta extortion group claimed responsibility for the attack that in April severely impacted the operations of Synlab Italia.

Since April 18, Synlab Italia, a major provider of medical diagnosis services, has been experiencing disruptions due to a cyber attack.

The company initially cited technical issues as the cause leading to “temporary interruption of access to computer and telephone systems and related services.” However, a concerning scenario has emerged a few hours later.

The company has released a statement informing customers of the ongoing attack and has “disabled” all company computer systems in Italy as a precautionary measure.

The company’s statement announced the suspension of all activities at sampling points, medical centers, and laboratories in Italy until further notice.

The operations of the preview points in Italy have been suspended for several days, and only since the end of April have they slowly begun to resume, with different modalities from region to region.

Synlab immediately investigated the incident and is working with external experts to contain it.

The company has yet to disclose a data breach e never mentioned in its update that it was the victim of a ransomware attack.

Certain statements of the first press release published by the company raised particular concerns:

“SYNLAB informs all Patients and Customers that it has been the victim of a hacker attack on its computer systems throughout the national territory. As a precaution, all company computer systems in Italy were immediately disabled following the identification of the attack and in accordance with the company’s computer security procedures.”

“[SYNLAB] is currently unable to determine when operations can be restored.”

In my previous post I wrote:

“These statements highlight the need for the company to isolate systems to prevent the spread of the threat and mitigate its impact. Such drastic containment measures are typically associated with malware infections, while the unavailability of affected systems often suggests a ransomware infection.

Therefore, companies that suffer a ransomware attack cannot predict when they will be operational again because they need to eradicate the threat from affected systems and restore any backups.

Another concern for companies affected by ransomware is the potential exfiltration of data. If health information is stolen in the case of SYNLAB Italy, it would pose a serious risk to affected customers’ privacy and security.”

Researchers at the platform Ransomfeed.it today revealed that the criminal group Blackbasta claimed responsibility for a ransomware attack on Synlab.

The group claimed the theft of 1.5 TB of data, including company data, employees’ personal documents, customer personal data, medical analyses (spermograms, toxicology, anatomy…), and more.

As proof of the data breach, the group published images of passports, ID cards and medical analyses.

One of the images published by the group lists the folders exfiltrated, some of which have names of medical exams, while others have the names of centers located in the Campania region, even though the attack impacted the sampling points throughout Italy.

The BlackBasta ransomware group will publish the stolen data on May 11, 2024.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.

In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.

The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.

The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Synlab Italia)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter