The same ransomware gang that hit the Irish healthcare system last week attacked over 400 organizations worldwide last year, over 290 of which were located in the US, according to a flash alert issued by the US Federal Bureau of Investigation (FBI).
The FBI said it identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.
Conti is a type of malware called ransomware that steals victim’s files and encrypts servers and workstations, and demands a ransom to recover the encrypted files.
Conti ransom demands are tailored to each victim, with recent ones being as high as $25 million, the FBI said.
Conti operators usually compromise victim networks using weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. The threat actor leverages Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network in order to deploy ransomware.
“Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery. The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data. In some cases where additional resources are needed, the actors also use Trickbot3. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS,” the alert said.
The prevent such attacks the FBI recommends organizations to:
• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are released.
• Use multifactor authentication where possible.