The FBI says that the Conti ransomware group targeted at least 16 U.S. healthcare and first-responder networks. These victims are among over 400 organizations worldwide victimized by Conti, with 290 being in the United States.
The global healthcare system experienced increased attacks from various ransomware gangs during the pandemic. Conti is just among more than a dozen ransomware gangs targeting healthcare systems, government and private organizations, and critical infrastructure agencies. Others include Maze, Nefilim, and Sodinokibi, attributed to various successful ransomware attacks worldwide.
Conti ransomware attacks are attributed to a Russian persistent threat, actor Wizard Spider, that operates under the ransomware-as-a-service (RaaS) model. The variant also shares code with Ryuk ransomware.
Conti ransomware attacks target law enforcement agencies and healthcare systems
The FBI alert noted that Conti ransomware attacks targeted law enforcement agencies, emergency medical services, 911 dispatch centers, and municipalities.
Conti ransomware gang was responsible for ransomware attacks on the Irish healthcare system that disrupted operations in mid-May. They demanded $20 million in ransom, threatening to publish 700GB of data if the ransom was not paid.
Ireland’s Health Minister Stephen Donnelly said the country’s healthcare system did not pay the ransom. However, the threat actor later provided a decryption key but still threatened to publish the data.
Recent victims of ransomware attacks in the United States include the Scripps healthcare system in San Diego. Universal Healthcare Services, a Fortune 500 company with over 400 branches also confirmed a ransomware attack executed by a different threat actor on October 3, 2020.
University of Vermont Health Network also suffered a ransomware attack on October 25, 2020, costing the healthcare system about $1.5 million daily or a total of about $63 million in expenses and lost revenues.
The FBI released the tools, techniques, and procedures of a typical Conti attack. According to the law enforcement agency, Conti ransomware uses malicious email links, infected attachments, or stolen remote desktop credentials to compromise networks.
“Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware.”
Conti ransomware gangs deploy the ransomware using dynamic-link libraries (DLLs) and use tools already available on the network. They later escalated privileges using Windows Sysinternals and Mimikatz tools.
“In some cases where additional resources are needed, the actors also use Trickbot. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS,” the FBI advisory states.
Conti’s hacking tools communicate over ports 80, 443, 8080, and 8443. They also use cloud storage service providers such as MegaNZ for transferring large data volumes and avoiding endpoint detection.
The threat actors remain on the network after encrypting files and beacon outside the network perimeter using AnchorDNS.
The Conti ransomware group encrypts servers and workstations to force payment from the victim. The ransomware gang calls victims using disposable VOIP numbers within two days to make ransom demands, threatening to publish data online if the ransom is not paid. They sometimes use ProtonMail to reach out to the victims.
FBI suggested countermeasures to overcome Conti ransomware attacks
The FBI recommended that targeted organizations should regularly back up their data and store copies offline. This strategy allows them to recover swiftly after ransomware attacks without losing critical data.
The FBI also recommended network segmentation, installation of security patches, updates, and using multifactor authentication and strong passwords. Deactivating unused VPN protocols also prevents them from being exploited by hackers to execute ransomware attacks.
Commenting on Conti ransomware attacks on the healthcare system and first-responder networks, Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, says:
“Now more than ever we must focus on shoring up security at our most critical institutions, including healthcare and first responders. Cyber attacks on these organizations are unfortunately not simply limited to the digital realm. They have spillover effects that can impair or even completely disrupt vital caregiving operations and directly impact patient health and safety.”
He noted that HIPAA/HITECH requirements are usually narrowly implemented, leaving many institutions vulnerable to cyber attacks.
“Healthcare as a vertical seems to have a disproportionally high number of legacy software packages or medical equipment built with legacy operating systems such as Windows 7 or even Windows XP that no longer receive patched from Microsoft and have few if any mitigating controls that may protect them from being targeted by today’s latest exploits,” he said. “To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry.”
He also recommended personnel security awareness training, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior. Additionally, regular penetration testing to expose security gaps in the security life-cycle was crucial, according to Clements.