FBI Warns Healthcare Sector of Conti Ransomware AttacksIreland's Health System, Scripps Health Apparently Among the Recent Targets
The FBI is warning healthcare organizations and first responder networks about Conti ransomware attacks, advising them to take measures to help prevent becoming a victim.
The bureau's flash alert comes on the heels of a recent Conti attack on Ireland's Health Service Executive, the nation's state-run health services provider, as well as the May 1 malware attack on San Diego-based Scripps Health. The California organization has not confirmed reports that its incident involved Conti ransomware (see: The Rising Threats to EHR Data Integrity).
Scripps Health did not immediately respond to Information Security Media Group's request for comment and an update on its recovery efforts.
In February, the Conti ransomware gang also reportedly leaked sensitive patient data, as well as employee records, on a darknet site following attacks on Miami-based Leon Medical Centers and Nocona (Texas) General Hospital (see: Patient Files Dumped on Darknet Site After Hacking Incidents).
FBI: 16 Attacks
The FBI says it has identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks - including law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities - within the last year.
"These healthcare and first-responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.," the FBI notes. "Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim."
Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients by leading to cancellation of procedures, rerouting of patients to unaffected facilities and compromise of protected health information, the alert notes.
The American Hospital Association on Friday called upon the federal government "to embark upon a coordinated campaign that will use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations and seize their illegal proceeds, as was done so effectively during the global fight against terrorism."
The AHA says that while it commends the government’s efforts to share timely and actionable cyberthreat intelligence, "relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat."
The vast majority of these attacks originate from outside the U.S., the AHA says, "often beyond the reach of U.S. law enforcement, where ransomware gangs are provided safe harbor and allowed to operate with impunity, sometimes with the active assistance of adversarial nations."
The U.S. government recently worked with other nations to take down two of the largest ransomware groups: Netwalker and Egregor, says Bryan Oliver, senior analyst at security firm Flashpoint. "However, the government is also aware that when lives are at stake, all options should be on the table to protect the welfare of hospital patients."
Conti ransom letters instruct victims to contact the attackers through an online portal to pay a ransom, the FBI notes. "If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million."
The FBI reiterated in its alert that it recommends organizations do not pay ransoms because payment does not guarantee files will be recovered and also emboldens cybercriminals to wage further attacks.
"However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers," the bureau states. "Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local field office or the FBI’s 24/7 Cyber Watch."
"More than anything, organizations need to do two things - reduce their risk of becoming a victim of a ransomware attack by implementing additional security controls within their environment and prepare … for when an incident such as a ransomware attack occurs to decrease the impact and likelihood that payment will need to be made," says Riley Stauffer, a security analyst at consultancy Pondurance.
The FBI is encouraging organizations to share information about Conti attacks, including boundary logs "showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file."
Conti Gang's Methods
Attackers using Conti ransomware gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol credentials, the alert notes.
"Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware," the FBI says. "Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries for delivery."
The attackers first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals and Mimikatz, to escalate privileges and move laterally through the network before exfiltrating and encrypting data, the FBI says.
"In some cases where additional resources are needed, the actors also use Trickbot," the alert says. "Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS."
If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, the attackers often call the victim using single-use Voice Over Internet Protocol numbers, the FBI says. The attackers "may also communicate with the victim using ProtonMail, and in some instances victims have negotiated a reduced ransom," the alert notes.
After the attack on Irish Health Services Executive, Conti attackers last week gave the organization a decryptor, which government officials are testing to see if it's safe to put to use. Meanwhile, the gang is reportedly threatening to release 700GB of stolen patient data unless HSE pays a $20 million ransom.
The Irish Medical Times reports that some patients whose data was affected by the Ireland attack report receiving phishing phone calls, supposedly from a hospital, asking for bank details in order to "refund" money.
We’re getting several reports of members of the public receiving calls from a Dublin number - supposedly from a hospital - where the caller knows all the person’s details - DOB, PPS and date of stay in hospital. They ask for bank details to ‘refund’ money for overcharging— Irish Medical Times (@IMT_latest) May 24, 2021
Indicators to Watch
The FBI notes that the Conti gang uses remote access tools, "which most often beacon to domestic and international virtual private server infrastructure over ports 80, 443, 8080, and 8443." Additionally, the attackers may use port 53 "for persistence," the alert says.
"Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers," the alert says.
Additional indicators of Conti activity include "the appearance of new accounts and tools - particularly Sysinternals - which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system beacons, and disabled endpoint detection," the FBI says.
Hiding in Plain Sight
The Conti gang "has become so comfortable in what they are doing it appears that they are 'hiding in plain sight' without fear of consequences or law enforcement pressure," says retired supervisory FBI agent Jason G. Weiss, who's now an attorney at law firm Faegre Drinker Biddle & Reath LLP.
"They have learned to hit us in what they perceive as a weak spot that forces the [victims] to pay the ransom out of risk to the health and welfare" of affected individuals, he says. "From a defensive standpoint, it feels like the healthcare industry has fallen into the trap that the FBI always warned us about when doing our defensive tactics training: 'Don’t bring a knife to a gun fight.'"
Oliver of Flashpoint notes: "Historically, there has been a lack of agreement among ransomware groups as to whether to attack the healthcare sector." Of all currently active ransomware groups with leak sites, Conti appears to claim the greatest number of healthcare victims, he adds.
Weiss predicts the healthcare sector and other elements of the nation's critical infrastructure will see a rise in other nefarious cyberattacks, including devastating “disruptionware attacks."
"Money is not the only incentive for these types of attacks. There are incentives that include destroying possible competition and attacking supply lines. And in certain situation, ransomware gangs or nation-states may attempt to weaken or destroy American industries," he says.
"Time will tell whether these attacks increase in size and scope. It is my belief that they will, because until we show we can stop it, it just won't stop."
The FBI alert lists a number of recommended mitigations for preventing and recovering from ransomware incidents. Those include regularly backing up data, air gapping and password protecting backup copies offline.
Also, organizations should ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Other measures include implementing network segmentation as well as a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location.
Entities should also install updates and patch operating systems, software and firmware as soon as they are released and use multifactor authentication where possible, the FBI stresses.