FBI Warns About Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has published a TLP:WHITE Flash alert concerning serious Conti ransomware attacks aimed at healthcare providers and first responder systems. According to the FBI, the Conti ransomware gang by now had attacked 16 healthcare providers and first responder networks within the United States.

Aside from healthcare organizations, the ransomware gang likewise tried to execute ransomware attacks on emergency medical support, 911 dispatch centers, municipalities, and law enforcement agencies. The attacker is widely recognized to have carried out cyberattacks on 400 organizations all over the world, including the most current attacks on Ireland’s Department of Health (DoH) and Health Service Executive (HSE). To date, the attacker had a total of 290 victims within the United States.

Conti ransomware is deemed to be operated by the Wizard Spider, a cybercrime group in Russia, and functions as a ransomware-as-a-service (RaaS) operation. The ransomware group is known to have attacked big firms asking for large ransom amounts of up to $25 million. The ransom demanded from each victim depends on the extent of the encryption and the determined ability of the victim to pay.

Just like many ransomware attacks today, before file encryption, the Conti ransomware gang exfiltrates sensitive data and uses it to threaten the victims saying it will sell or publish the stolen information if the ransom is not paid. Within 8 days, the victims must pay the ransom. Even if the victims do not make contact with the gang, the gang contacts them by using encrypted email like ProtonMail or Voice Over Internet Protocol (VOIP) services within 2-8 days of threatening them into paying.

Attacks usually start with phishing emails having weaponized hyperlinks or email attachments or using compromised Remote Desktop Protocol (RDP) credentials. Prior to deploying the Emotet botnet, the hackers employed malicious Word documents that have loaded PowerShell scripts, at first to stage Cobalt Strike after that to create the Emotet Trojan within the system, which allowed the attacker to transfer their ransomware payload. The threat group is similarly widely recognized to use the TrickBot Trojan in their attacks. From the initial compromise up to the ransomware deployment, it typically takes 4 days to 3 weeks, and frequently, the ransomware payload is created using dynamic link libraries (DLLs).

The threat group employs living-off-the-land techniques for advance privileges and move laterally on the internal networks, just like Mimikatz and Sysinternals. Right after files encryption, the gang normally remains inside the network and beacons out using Anchor DNS. The ransomware gang utilizes remote access tools to signal local and international VPS systems to posts 80, 443, 8443, typically using port 53 for persistence. Ongoing indicators of attacks include the creation of new accounts and usage of tools such as Sysinternals, along with disabled sensors and nonstop HTTP and DNS beacons.

The FBI does not support paying ransoms since it isn’t an assurance that data will be retrieved or stolen information will not be offered for sale or posted. The FBI has cautioned all Conti ransomware attack affected individuals to reveal information about the attacks such as boundary records showing chats between international IP addresses, Bitcoin wallet information, benign samples of encrypted files and/or decryptor files.

The FBI has published these mitigations to be used for protecting against Conti as well as any ransomware attack:

  1. Consistently back up data, verify backups, and keep backups on air-gapped systems.
  2. Keep a few copies of sensitive and exclusive data on servers that are segregated physically and aren’t available from the systems where data is found.
  3. Execute system segmentation.
  4. Use multi-factor authentication.
  5. Employ patches and update systems, software programs, and firmware as soon as possible.
  6. Use strong passwords and consistently modify network systems and accounts passwords.
  7. Remove links in incoming email communications.
  8. Attach email banners in each incoming email coming from outside sources.
  9. Do regular user account evaluations for accounts having administrator privileges.
  10. Just use secure networks and never connect using public Wi-Fi networks.
  11. Use a VPN equipped with remote access.
  12. Make certain that all personnel get regular security awareness training.