FBI: Conti Ransomware Actors Exploit Healthcare, First Responder Networks

May 24, 2021 - The Conti ransomware hacking group has successfully exploited at least 16 healthcare sector and first responder networks, including 911 dispatchers, emergency medical services, law enforcement, and municipalities in the last year, according to a May 20 FBI Flash Alert.

These healthcare-related attacks are among a greater global Conti campaign, which has claimed more than 400 victim organizations -- 290 in the US alone.The alert follows a Check Point report that found the healthcare sector remains the top target for ransomware actors.

The FBI is urging entities to review the alert for insights into the technical attacks and indicators of compromise.

“Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed,” according to the alert.

“Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information,” it added.

READ MORE: The Telehealth Security Impact: Now and Beyond the COVID-19 Pandemic

While other hacking groups at least claimed they’d stop targeting healthcare amid the pandemic, Conti has continued to exploit these entities in the last year. The victims include Leon Medical Center, UK-based Livanova, and Rehoboth McKinley Christian Health Care Services.

The latest Conti-attributed attack was launched on Ireland’s Health Service Executive, which has led to significant care disruptions, EHR downtime procedures, and a number of other IT issues for several weeks.

Recent Coveware data found Conti has caused major troubles for victims, including complicated recoveries, failed negotiations, and multiple attacks launched in succession. A number of victims have paid the demands to suppress the leaks, as data exfiltration has led to a rise in triple extortion attempts.

According to the latest FBI alert, Conti operates in typical fashion to other extortion groups: the actors steal as much data as possible, prior to encrypting servers and workstations to later demand a ransom payment.

The initial access is gained through malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. 

READ MORE: Critical Infrastructure Attacks: Threat Landscape Forces Security to Evolve

“Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware,” according to the alert.

The FBI has observed the actors remaining on the network for at least four days and up to three weeks on average before the ransomware payload is deployed using dynamic-link libraries (DLLs). 

Further, the attackers leverage readily available tools on the victims’ networks and add tools when needed, including Windows Sysinternals1 and Mimikatz, which allows them to escalate network privileges and laterally move on the network prior to data exfiltration and encryption.

In instances where the attackers need more resources, the FBI has observed the attackers using Trickbot.

Notably, even after the ransomware is deployed, the attackers may remain on the network and “beacon out” through Anchor DNS.

READ MORE: External Threat Actors Outpace Insiders in Healthcare Data Breaches

Victims are directed to contact the threat actors via an online portal to complete the transaction. Typically, victims are given just two to eight days to meet the demands, after the ransomware is deployed.

Conti is among the hacking groups leveraging triple extortion methods, often calling victims using single-use Voice Over Internet Protocol (VOIP) numbers or communicating with ProtonMail. The FBI explained some of these victims have successfully negotiated smaller ransoms.

When the demands aren’t met, the hackers will either sell the stolen data or publish it online to a public site. The internet-based site was taken down in the last few months. The ransoms vary by entity, and the FBI believes the demands are tailored to the victim. Some recent attacks have led to ransoms as much as $25 million.

Healthcare administrators should review provided IOCs to assess their networks. The FBI warned that Conti actors employ remote access tools that beacon to domestic and international virtual private server (VPS) infrastructure, via ports 80, 443, 8080, and 8443.

The attackers have also been observed using port 53 for persistence. Conti activity may also include the appearance of new tools and accounts not installed by the entities, such as Sysinternals. 

In past attacks, the actors have also disabled endpoint detection and constant HTTP and DNS beacons.

“Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers,” the FBI warned. “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”

“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” they added.

Entities are encouraged to review policies and procedures, to ensure they’re employing best practice defenses, including the use of multi-factor authentication, routine backups, network segmentation, frequent patch management, and well-practiced disaster recovery plans.