The Federal Bureau of Investigation (FBI) has identified at least 16 Conti ransomware attacks targeting healthcare and first responder networks in the United States.
The FBI said the ransomware targets include 911 dispatch centers, law enforcement agencies, and emergency medical services over the past year.
According to the FBI Flash Alert, these victims are among the more that 400 organizations (290 based in the U.S.) targeted by Conti worldwide.
These cyberattacks pose a major threat and safety risks when first responders are unable to access digital information and respond to emergency service calls.
Similar to most ransomware attacks, Conti aims to steal victim’s data and encrypt their servers and workstations in order to demand a ransom payment. If the ransom is not paid, the actors may then sell or publish the stolen data to a public site. Some of the ransomware demands have been as high as $25 million.
Conti details
The FBI provided details of the threat in the alert:
“Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware. Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery.”
Moreover, the Conti actors use readily available tools, such as Windows Sysinternals and Mimikatz, to escalate privileges and pivot laterally through the victim’s network. The actors will then compromise and encrypt systems after exfiltrating the stolen data.
In some cases, the cybercriminals may even use Trickbot, a modular banking trojan previously designed to steal information and distribute other malware to infected systems. Trickbot has evolved over the years into credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk.
Indicators of Compromise
The FBI also provided a summary of Indicators of Compromise such as:
- Use remote access tools to communicate to remote virtual private infrastructure (VPS) over ports 80, 443, 8080, and 8443.
- Use port 53 for persistence.
- Large transfers via HTTPS sent to cloud-based data storage providers MegaNZ and pCloud.
- Discovery of new accounts and tools (e.g., Sysinternals).
- Disabled endpoint protection.
These ransomware attacks are just the latest in a string of recent high profile ransomware attacks, such as Mount Locker, Darkside (Colonial Pipeline) and DearCry cyberattacks.
Mitigations
Organizations are highly encouraged to implement these safeguards to help combat ransomware attacks:
- Backup data and keep copies offline (such as external hard drive or in cloud storage).
- Secure backups to prevent unauthorized changes to data.
- Run up to date anti-malware programs on all hosts.
- Use VPNs and avoid using public wifi.
- Use multi-factor authentication and strong passwords.
- Keep all devices up to date and patched.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Audit user and administrator accounts
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on security awareness and training for ransomware and phishing attacks.
Finally, the FBI urges victims to not pay ransoms and promptly report ransomware incidents to your local field office or the FBI’s 24/7 Cyber Watch (CyWatch).
Related Articles
- Mount Locker ransomware targets Windows APIs to spread through networks
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance)
- Pipeline ransomware attack shuts down 45% of East Coast’s fuel (US passes emergency waiver, systems restarted) – updated
- Threat actors use FiveHands Ransomware and SombRAT in new cyberattack
- Alert: Qlocker and eCh0raix ransomware attacks against QNAP NAS devices
- CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits (update-2)