Conti Ransomware Group Continues to Threaten Healthcare

March 10, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Secret Service (USSS) re-released their September 2021 advisory on Conti ransomware group, which claimed responsibility for at least 16 cyberattacks against US healthcare entities.

“Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000,” the update stated.

CISA, the FBI, NSA, and the USSS updated the advisory to include new Conti indicators of compromise. Healthcare organizations should review the advisory and prepare accordingly.

In May 2021, the FBI released a flash alert warning of multiple Conti ransomware attacks against US healthcare organizations and first responder networks.

“Cyber attacks targeting networks used by emergency services personnel can delay access to realtime digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed,” the alert stated.

“Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges. Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”

Months later, Conti is still at large. In early March 2022, Sophos disclosed an unusual incident involving two separate ransomware groups launching cyberattacks against one Canadian healthcare organization simultaneously. Both Karma and Conti ransomware groups targeted the organization with very different tactics and successfully exfiltrated data.

Conti also recently announced on its leak site that it would support Russia’s invasion of Ukraine and use “retaliatory measures” against the US should it attack Russian critical infrastructure.

This recent activity solidified Conti as an ongoing threat against US and international organizations.

CISA and the FBI have observed Conti ransomware using Trickbot and Cobalt Strike often. Conti is a ransomware-as-a-service (RaaS) variant, but its structure deviates from that of typical RaaS affiliate models.

“It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack,” the advisory noted.

Conti actors typically gain initial access via spearphishing campaigns, stolen Remote Desktop Protocol (RDP) credentials, fake software promoted via search engine optimization, or common asset vulnerabilities.

CISA updated the advisory to include new indicators of compromise, including new domains that had registration and naming characteristics that were similar to those used by Conti in the past.

US organizations, especially in the healthcare sector, should remain on high alert and implement technical safeguards to prevent cyberattacks. Organizations should adopt multi-factor authentication, network segmentation, and frequent vulnerability scanning.

In addition, the advisory recommended that organizations remove unnecessary applications, implement endpoint and detection response tools, restrict access to RDP, and secure user accounts.