The Federal Bureau of Investigation (FBI) has identified at least 16 Conti ransomware attacks over the last year, targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.
Like most ransomware variants, the Conti ransomware typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim, the FBI said in its flash alert. Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information, it added.
The federal agency is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file, the alert said.
“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers,” it added.
Coveware, an analyst firm, revealed in its Quarterly Ransomware Report that the average ransom payment increased 43 percent to US$220,298 in the first quarter of this year from $154,108 in the fourth quarter of last year, while the median payment in the first quarter rose to $78,398 from $49,450, registering a 58 percent increase.
The percentage of ransomware attacks that included a threat to release stolen data increased to 77 percent in the first quarter from 70 percent in the last quarter of last year. The majority of ransomware attacks that involve data exfiltration have two goals – to exfiltrate corporate data from the most convenient file server, and escalate privileges and deploy ransomware on as many endpoints as possible, Coveware added.
The Conti ransomware attack comes closely after Colonial Pipeline detected that DarkSide ransomware was responsible for the compromise of its networks, which led the company to take certain systems offline to contain the threat. Colonial had a temporary halt of all pipeline operations with some of its IT systems also affected.
Conti hackers gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials, the FBI said.
The Conti ransomware embeds Word documents with Powershell scripts, initially staging Cobalt Strike via the Word documents, and then dropping Emotet onto the network, giving the attacker access to deploy ransomware. Hackers are observed inside the victim network between four days and three weeks on an average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery, it added.
FBI also pointed out that once Conti attackers deploy the ransomware, they may stay in the network and beacon out using Anchor DNS. If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti hackers often call the victim using single-use Voice over Internet Protocol (VOIP) numbers. The attackers may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom.
The Irish government said last week that on May 14th, the National Cyber Security Centre (NCSC) was made aware of a significant incident affecting Health Service Executive (HSE) systems. Initial reports indicated a human-operated Conti ransomware attack that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems, according to an advisory released by the NCSC.
The malicious cyber activity was also detected on the Irish Department of Health (DoH) network, but due to a combination of anti-virus software and deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped. The HSE took the decision to shut down all of its IT systems as a precaution in order to assess and limit the impact, it added.
Following the Conti ransomware attack, there were serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans, but the national vaccination program is not affected.
“Criminals have attacked our health service and IT systems are shut down. This is a serious and high-risk event. We thank you for your patience and understanding. We’re working incredibly hard to keep essential services going,” according to a Twitter message from HSE Ireland on Sunday.
The American Hospital Association (AHA) remains concerned about cyberattacks with the potential to disrupt patient care and jeopardize patient safety. As stated in its testimony before the Senate Homeland Security Committee last December, AHA believes that a ransomware attack on a hospital or health system crosses the line from an economic crime to a threat-to-life crime.
The AHA acknowledges and commends the U.S. government’s efforts to share timely and actionable cyber-threat intelligence, AHA said in its statement. However, relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat.
The vast majority of these attacks originate from outside the U.S., often beyond the reach of U.S. law enforcement, where ransomware gangs are provided safe harbor and allowed to operate with impunity, sometimes with the active assistance of adversarial nations, it added.
“For healthcare providers, it is imperative to adopt a proactive approach to cybersecurity,” wrote cybersecurity expert Anastasios Arampatzis in a post for Adacom. “Administrators and other security leaders should review insights and recommendations provided by various organizations and agencies, including the FBI and CISA, to tackle the ransomware threat before falling victim,” he added.
“As ransomware attacks become more prevalent and, bad actors are targeting healthcare organizations. Our duty as HTM professionals is to be prepared and do everything we can to protect patients and their data,” wrote Benjamin Stock, director of Healthcare Product Development at Ordr in a company blog post.