Olivier Le Moal - stock.adobe.co

Conti ransomware spree draws FBI attention

Hospitals and emergency service networks in the U.S. are at heightened risk from the new ransomware operation that disrupted Ireland's healthcare system in recent weeks.

A prolific new ransomware operation has prompted a security alert from the FBI.

Known as Conti, the ransomware variant is said to be behind hundreds of malware infections in recent months, with hospitals and healthcare companies particularly hard hit. The FBI said it has responded to more than a dozen recent attacks on essential safety services in the U.S.

"The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year," the FBI warned in its alert.

"These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S."

The number given by the FBI is particularly staggering, given it would only account for infections the bureau has received reports of or learned about while investigating the Conti operation. It is likely there are many other victim companies that have not reported an attack and either paid the ransom or quietly deleted and restored systems on their own.

The FBI warning comes as Conti is also making headlines in Europe, where the malware is being blamed for prolonged outages that, last week, brought the national healthcare system in Ireland to a crawl.

Our sister publication ComputerWeekly reported the Conti crew accessed multiple systems run by the nation's Health Service Executive in April and, over the course of several weeks, kicked off a massive ransomware attack that forced the HSE to postpone some nonessential medical procedures as emergency department staff across the country struggled to cope with the outage.

Bleeping Computer reported the Conti crew demanded Irish authorities pay out more than $20 million to recover their data; the government said it does not plan to pay the ransom.

Ireland's National Cyber Security Centre noted at least a small portion of the attacks were spotted and blocked by administrators before they could result in the loss of data.

How the Conti attacks happen

The FBI alert shows that rather than attempt to exploit zero-day flaws or use other exotic infection methods, Conti relies on tried-and-true methods to get its malware into networks. Well-known flaws in Windows Remote Desktop Protocol (RDP) and macros from poisoned Microsoft Word documents are believed to be the most common source of infections.

Once in place, the malware opens a PowerShell script and launches Cobalt Strike and Emotet, popular remote control and botnet tools that give the attackers remote access to the infected machine and its network. The Conti criminals have been known to spend anywhere from a few days to several weeks covertly moving around networks, staking out their targets and desired information before actually installing and running the ransomware component of the operation.

Once launched, the malware encrypts data on the network and serves administrators with a note detailing the ransom demand. Should the companies not cave and pay the desired cryptocurrency amount within two to eight days, the FBI said Conti's controllers will get in touch via either a throw-away VoIP account or by way of ProtonMail.

In some cases, the FBI noted, the cybercriminals have even been willing to negotiate with their victims for a reduced payout.

Given that Conti uses RDP and poisoned documents as its initial intrusion method, keeping systems patched and educating end users as to the dangers of social engineering and unsolicited attachments could help prevent infections. Other possible mitigations to limit damage include regular backups, disaster recovery plans and the use of two-factor authentication.

The FBI said that, once present on a network, the malware will attempt to phone home to its command and control servers over ports 80, 443, 8080, and 8443, while port 53 is used for persistence. Investigators also say the malware can be found uploading files over HTTPS to servers hosted on Mega and pCloud services.

Internally, administrators may also be able to sniff out a possible attack by looking for the sudden appearance of new accounts and the installation of Sysinternals, one of the admin tools the attackers use during the recon phase of their attacks. Other indicators of compromise include the sudden disabling of antimalware and network monitoring tools.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing