The FBI is warning IT professionals in healthcare and first responder organizations of at least 16 Conti ransomware attacks this year.
In an advisory, the FBI said it has identified at least 16 such attacks in the last year, targeting law enforcement, emergency medical services, dispatch centers and municipalities. The healthcare and first responder networks are among the more than 400 victims worldwide, with “over 290” in the U.S.
The Conti ransomware is typical of such attacks, the FBI says. A victims’ files are stolen and workstations are encrypted until the victim pays a ransom via an online portal. If the ransom isn’t paid, the actors threaten to release the data on a public website.
Some ransom demands have been as high as $25 million, according to the alert.
Shutting down any of these networks as a result of ransomware attacks could have devastating effects on public health and combatting crime, so it’s important for IT pros at first responder organizations to do everything they can to prevent such attacks.
Luckily, there doesn’t seem to be anything out of the ordinary about Conti ransomware. The actors typically giant access to networks through malicious email links, attachments or stolen Remote Desktop Protocol credential, the FBI says. The group uses Word documents embedded with PowerShell scripts, initially staging Cobalt Strike via the Word documents and drops Emotet onto the network to give them access to deploy ransomware.
The Conti actors have been observed to be inside victim networks for up to three weeks before the ransomware is deployed via dynamic-link libraries. They use tools already available on the network, then add tools as need, like Windows Sysinternals and Mimikatz to escalate privileges and move laterally through the network before stealing and encrypting data. They have also been observed using Trickbot.
They then use single-use VoIP numbers to call the victim if the ransom isn’t paid in a number of days.
Read Next: My TechDecisions Podcast Episode 130: Ransomware and Protecting Critical Infrastructure
According to the FBI, Conti actors use remote access tools that usually beacon to domestic and international virtual private server infrastructure over ports 80, 443, 8080 and 8443, and sometimes use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers.
IT pros can also spot Conti activity inside their networks by noticing new accounts and tools that weren’t installed by the organization, especially Sysinternals. Disabled endpoint protection and constant HTTP and domain name system beacons are other indicators.
The FBI’s recommended mitigations are typical of preventing ransomware, like regularly backing up data, air gapping network systems, good password security, disabling RDP, regularly patching and updating systems, requiring administrator credential to install software and more.
For a full list, read the FBI’s alert.
Conti ransomware behind the Ireland health service attack
According to BleepingComputer, Conti ransomware operates as a private ransomware-as-a-service operation that officials believe is controlled by a Russian-based group known as Wizard Spider. The ransomware is similar to Ryuk ransomware, which uses TrickBot distribution channels after Ryuk activity decreased last summer.
The group is also believed to be behind the ransomware attack on Ireland’s Health Service Executive (HSE) and Department of Health. A $20 million ransom was demanded, but the Conti gang released a free decryptor for the HSE while still threatening to sell 700 GB of stolen data. The Department of Health, however, was able to prevent encryption.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply