FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.
The FBI says it has observed 16 Conti ransomware attacks that targeted healthcare and first responder networks in the United States over the past year.
First detailed in July 2020, Conti has grown to become a major threat, with more than 400 organizations worldwide (290 in the United States) being hit by the ransomware to date. Conti’s operators appear to tailor the ransom amount to the victim and were observed asking for as much as $25 million recently — but victims do have the option to negotiate the amount.
Conti operators steal victim data in addition to encrypting files on servers and workstations, threatening to release the stolen data to the public unless the ransom is paid.
U.S. healthcare organizations and first responders that Conti has hit since its emergence include 9-1-1 dispatch centers, emergency medical services, law enforcement agencies, and municipalities, the FBI reveals in a newly published alert.
For initial access to the victim networks, Conti’s operators employ malicious attachments (weaponized Word documents with embedded scripts) and email links, as well as Remote Desktop Protocol (RDP) credentials.
A typical Conti attack starts with the malicious document dropping Cobalt Strike and Emotet, with the attackers dwelling in the victim’s network between four days and three weeks on average before installing the ransomware.
Once inside the network, the adversary leverages existing tools and deploys others when needed, including Windows Sysinternals and Mimikatz, for privilege escalation and lateral movement. The adversary also deploys the TrickBot malware when needed.
Victims are instructed to contact the ransomware operators for instructions on how to make the payment. If the victim does not respond in the specified time window, the attackers often call them from single-use VOIP numbers, but they were also observed employing ProtonMail for communication.
The FBI also notes that the ransomware operators use remote access tools that communicate over ports 80, 443, 8080, and 8443, that they employ cloud-based data storage providers MegaNZ and pCloud for large HTTPS transfers, and that they disable endpoint detection systems. Constant HTTP and DNS beacons also reveal the attackers’ presence in the network.
In its alert, the FBI also provides a series of mitigation recommendations, which include keeping data backed up, implementing network segmentation and a recovery plan, keeping applications and operating systems up to date, and using multi-factor authentication.
“At many healthcare organizations HIPAA/HITECH requirements are only narrowly implemented leaving many potential cyberattack threat vectors unaddressed. To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Chris Clements, VP of solutions architecture at Cerberus Sentinel, said in an emailed comment.
“It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise,” Clements continued.