FBI Issues Flash Advisory on Conti Ransomware Attacks Impacting Healthcare and First Responder Networks

The Federal Bureau of Investigation has said in a flash announcement that the Conti ransomware group is responsible for at least 16 attacks targeting US healthcare and first responder networks within the last year.

The victim organizations include law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities, according to the bureau.

The group is said to have infected more than 400 organizations worldwide, including more than 290 in the US.

“Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim,” the agency notes. “The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors.”

Conti tailors the ransom demands based on the victim’s ability to pay, with some targets asked to hand over $25 in exchange for the decryption keys.

The bureau explains that such attacks are crippling to society, delaying access to real-time information, increasing safety risks to first responders and potentially endangering those who rely on calls for service.

“Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges,” the advisory continues. “Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”

The document contains valuable technical information regarding Conti’s modus operandi. For example, the group is known to gain access to victims’ networks through phishing emails or Remote Desktop Protocol, by leveraging stolen credentials.

The group uses threat emulation software like Cobalt Strike and the infamous Emotet banking Trojan, and weaponizes Word documents with embedded Powershell scripts to ultimately deploy Conti ransomware.

“Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery,” the technical section says. “The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data. In some cases where additional resources are needed, the actors also use Trickbot. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS.”

Conti threat actors are aggressive, going so far as to call victims who refuse to pay ransom. The attackers do so by employing throw-away VoIP numbers or via ProtonMail. Some victims are said to have negotiated a reduced ransom, according to the report.

The advisory further includes a list of indicators of compromise (IoCs) that system administrators can look for to help stop a Conti attack before it unfolds, as well as a list of recommended mitigations. As usual, the FBI does not encourage paying ransoms, as “payment does not guarantee files will be recovered.”