A TLP: WHITE flash alert has been issued by the Federal Bureau of Investigation (FBI) regarding persistent Conti ransomware attacks directed at providers of healthcare and first responder systems. As per the FBI, the Conti ransomware gang already launched attacks on 16 healthcare and first responder networks in the U.S.
Besides healthcare companies, the gang also tried to launch ransomware attacks on emergency medical services, 911 dispatch centers, law enforcement organizations and municipalities. The attacker is well-known to have executed attacks on 400 companies around the world, which include the latest attacks on the Department of Health (DoH) and Health Service Executive (HSE) in Ireland. Thus far, the attacker has had 290 victims in the U.S.
Conti ransomware is thought to be run by the Wizard Spider, a Russian cybercrime group, and serves as a ransomware-as-a-service (RaaS) operation. The ransomware gang is reputed for attacking big companies and demanding huge ransom payments as much as $25 million. The ransom demand fixed for every victim is dependent on the magnitude of the encryption and the identified capability of the victim to give ransom payment.
Like most ransomware attacks now, the Conti ransomware gang exfiltrates sensitive information before encrypting files and threatening to sell or post the information in case there is no ransom paid. Victims are provided 8 days to pay the ransom, though when victims makes no attempt to contact the gang, the gang often contacts them using Voice Over Internet Protocol (VOIP) services or encrypted email like ProtonMail 2-8 days after to compel them into paying.
Attacks typically begin with phishing emails that contain weaponized links or email attachments or the usage of compromised Remote Desktop Protocol (RDP) credentials. Before the usage of the Emotet botnet, the hackers utilized malicious Word documents that have embedded PowerShell scripts, initially to stage Cobalt Strike then to set up the Emotet Trojan in the system, which enabled the attacker to transmit their ransomware payload. The threat group is likewise well-known to employ the TrickBot Trojan for their attacks. The time period from the preliminary compromise up to the deployment of ransomware is normally 4 days to 3 weeks, and the ransomware payload frequently set up utilizing dynamic link libraries (DLLs).
The threat group utilizes living-off-the-land strategies to advance privileges and go laterally inside networks, like Mimikatz and Sysinternals. Following the encryption of files, the gang usually stays within the network and beacons out utilizing Anchor DNS. The gang uses remote access tools to beacon out to local and international VPS infrastructure to posts 80, 443, 8443, with port 53 typically employed for persistence. Ongoing indicators of attacks consist of the formation of new accounts and the set up of tools including Sysinternals, together with disabled detection and continuous HTTP and DNS beacons.
The FBI doesn’t advise gving ransom payments because it is not a guarantee that files will be recovered or stolen data won’t be sold or published. The FBI has advised all Conti ransomware attack victims to share details regarding the attacks which include boundary logs showing conversations to and from international IP addresses, Bitcoin wallet details, decryptor files and/or benign examples of encrypted files.
The FBI has released the following mitigations to be applied to protect against Conti and any ransomware attacks:
- Routinely back up information, check backups, and save backups on air-gapped devices.
- Maintain several copies of sensitive and proprietary information on servers that are separated physically and are not accessible from the systems where information is located.
- Carry out system segmentation.
- Employ multi-factor authentication.
- Use patches and update networks, software, and firmware punctually.
- Utilize strong passwords and routinely alter network systems and accounts passwords.
- Deactivate links in inbound email messages.
- Put email banners in every inbound email coming from external sources.
- Perform routine user account reviews for accounts given admin privileges.
- Only employ secure networks and don’t use public Wi-Fi networks.
- Employ a VPN with remote access.
- Make sure all employees are given frequent training on security awareness.