FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash notice about ongoing Conti ransomware attacks targeting healthcare and first responder networks. According to the FBI, the Conti ransomware gang has attacked 16 healthcare and first responder organizations in the United States.

In addition to healthcare providers, the gang has attempted ransomware attacks on 911 dispatch centers, emergency medical services, law enforcement agencies and municipalities. The gang is known to have conducted attacks on 400 organizations worldwide, including a recent attack on the Health Service Executive (HSE) and Department of Health (DoH) in Ireland. To date, the gang has claimed 290 victims in the United States.

Conti ransomware is believed to be operated by the Russian cybercrime group Wizard Spider and is a ransomware-as-a-service (RaaS) operation. The threat group is known for attacking large organizations and issuing huge ransom demands, which have been as high as $25 million. The ransom demand set for each victim based on the extent of the encryption and the perceived ability of the victim to pay.

As is common now with ransomware attacks, the Conti ransomware gang exfiltrates sensitive data prior to file encryption and threatens to sell or publish the data if the ransom is not paid. Victims are given 8 days to make payment, although if attempts have not been made by the victims to get in touch with the gang, contact is often made using Voice Over Internet Protocol (VOIP) services or encrypted email such as ProtonMail after 2-8 days to pressure victims into paying.

Attacks usually start with phishing emails that include weaponized hyperlinks or email attachments or the use of stolen Remote Desktop Protocol (RDP) credentials. Prior to the disruption of the Emotet botnet, the attackers used malicious Word documents with embedded PowerShell scripts, first to stage Cobalt Strike and then to deploy the Emotet Trojan onto the network, which allowed the threat group to deliver their ransomware payload. The group has also been known to use the TrickBot Trojan in their attacks. The time from the initial compromise to the deployment of ransomware is usually between 4 days and 3 weeks, with the ransomware payload often delivered using dynamic link libraries (DLLs).

The threat group uses living-off-the-land techniques to escalate privileges and move laterally within networks, such as Sysinternals and Mimikatz. After encrypting files, the gang often remains in the network and beacons out using Anchor DNS. Remote access tools used by the gang beacon out to domestic and international VPS infrastructure over posts 80, 443, 8443, with port 53 often used for persistence. Indicators of attacks in progress include the creation of new accounts and the installation of tools such as Sysinternals, along with disabled detection and constant HTTP and DNS beacons.

The FBI does not recommend paying ransoms as payment does not guarantee the recovery of files nor the sale or publication of stolen data. The FBI has requested all victims of Conti ransomware attacks share information about the attacks with the FBI including boundary logs showing communications to and from foreign IP addresses, Bitcoin wallet information, decryptor files and/or benign samples of encrypted files.

The FBI has published several mitigations that can be implemented to harden defenses against Conti and other ransomware attacks.  These include:

  • Regularly back up data, test backups, and store backups on air-gapped devices.
  • Retain multiple copies of sensitive and proprietary data on servers that are physically separate and cannot be accessed from the systems where data resides.
  • Implement network segmentation.
  • Use multi-factor authentication.
  • Patch and update systems, software, and firmware promptly.
  • Use strong passwords and regularly change passwords for network systems and accounts.
  • Disable hyperlinks in inbound email.
  • Add email banners to all inbound emails from external sources.
  • Conduct regular user account audits for accounts with administrative privileges.
  • Only use secure networks and avoid public Wi-Fi networks.
  • Use a VPN for remote access.
  • Ensure all members of the workforce are provided with regular security awareness training.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.