Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.

The FBI says it has observed 16 Conti ransomware attacks that targeted healthcare and first responder networks in the United States over the past year.

The FBI says it has observed 16 Conti ransomware attacks that targeted healthcare and first responder networks in the United States over the past year.

First detailed in July 2020, Conti has grown to become a major threat, with more than 400 organizations worldwide (290 in the United States) being hit by the ransomware to date. Conti’s operators appear to tailor the ransom amount to the victim and were observed asking for as much as $25 million recently — but victims do have the option to negotiate the amount.

Conti operators steal victim data in addition to encrypting files on servers and workstations, threatening to release the stolen data to the public unless the ransom is paid.

U.S. healthcare organizations and first responders that Conti has hit since its emergence include 9-1-1 dispatch centers, emergency medical services, law enforcement agencies, and municipalities, the FBI reveals in a newly published alert.

For initial access to the victim networks, Conti’s operators employ malicious attachments (weaponized Word documents with embedded scripts) and email links, as well as Remote Desktop Protocol (RDP) credentials.

A typical Conti attack starts with the malicious document dropping Cobalt Strike and Emotet, with the attackers dwelling in the victim’s network between four days and three weeks on average before installing the ransomware.

Once inside the network, the adversary leverages existing tools and deploys others when needed, including Windows Sysinternals and Mimikatz, for privilege escalation and lateral movement. The adversary also deploys the TrickBot malware when needed.

Victims are instructed to contact the ransomware operators for instructions on how to make the payment. If the victim does not respond in the specified time window, the attackers often call them from single-use VOIP numbers, but they were also observed employing ProtonMail for communication.

The FBI also notes that the ransomware operators use remote access tools that communicate over ports 80, 443, 8080, and 8443, that they employ cloud-based data storage providers MegaNZ and pCloud for large HTTPS transfers, and that they disable endpoint detection systems. Constant HTTP and DNS beacons also reveal the attackers’ presence in the network.

In its alert, the FBI also provides a series of mitigation recommendations, which include keeping data backed up, implementing network segmentation and a recovery plan, keeping applications and operating systems up to date, and using multi-factor authentication.

“At many healthcare organizations HIPAA/HITECH requirements are only narrowly implemented leaving many potential cyberattack threat vectors unaddressed. To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Chris Clements, VP of solutions architecture at Cerberus Sentinel, said in an emailed comment.

“It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise,” Clements continued.

Related: Ireland’s Health Service Executive Held to Ransom by Conti Gang

Related: Green Energy Company Volue Hit by Ransomware

Related: Large Florida School District Hit by Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.