Security Experts:

Connect with us

Hi, what are you looking for?



FBI: 16 Conti Ransomware Attacks Targeted Healthcare, First Responders in U.S.

The FBI says it has observed 16 Conti ransomware attacks that targeted healthcare and first responder networks in the United States over the past year.

The FBI says it has observed 16 Conti ransomware attacks that targeted healthcare and first responder networks in the United States over the past year.

First detailed in July 2020, Conti has grown to become a major threat, with more than 400 organizations worldwide (290 in the United States) being hit by the ransomware to date. Conti’s operators appear to tailor the ransom amount to the victim and were observed asking for as much as $25 million recently — but victims do have the option to negotiate the amount.

Conti operators steal victim data in addition to encrypting files on servers and workstations, threatening to release the stolen data to the public unless the ransom is paid.

U.S. healthcare organizations and first responders that Conti has hit since its emergence include 9-1-1 dispatch centers, emergency medical services, law enforcement agencies, and municipalities, the FBI reveals in a newly published alert.

For initial access to the victim networks, Conti’s operators employ malicious attachments (weaponized Word documents with embedded scripts) and email links, as well as Remote Desktop Protocol (RDP) credentials.

A typical Conti attack starts with the malicious document dropping Cobalt Strike and Emotet, with the attackers dwelling in the victim’s network between four days and three weeks on average before installing the ransomware.

Once inside the network, the adversary leverages existing tools and deploys others when needed, including Windows Sysinternals and Mimikatz, for privilege escalation and lateral movement. The adversary also deploys the TrickBot malware when needed.

Victims are instructed to contact the ransomware operators for instructions on how to make the payment. If the victim does not respond in the specified time window, the attackers often call them from single-use VOIP numbers, but they were also observed employing ProtonMail for communication.

The FBI also notes that the ransomware operators use remote access tools that communicate over ports 80, 443, 8080, and 8443, that they employ cloud-based data storage providers MegaNZ and pCloud for large HTTPS transfers, and that they disable endpoint detection systems. Constant HTTP and DNS beacons also reveal the attackers’ presence in the network.

In its alert, the FBI also provides a series of mitigation recommendations, which include keeping data backed up, implementing network segmentation and a recovery plan, keeping applications and operating systems up to date, and using multi-factor authentication.

“At many healthcare organizations HIPAA/HITECH requirements are only narrowly implemented leaving many potential cyberattack threat vectors unaddressed. To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Chris Clements, VP of solutions architecture at Cerberus Sentinel, said in an emailed comment.

“It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise,” Clements continued.

Related: Ireland’s Health Service Executive Held to Ransom by Conti Gang

Related: Green Energy Company Volue Hit by Ransomware

Related: Large Florida School District Hit by Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.