FBI Says ‘Conti’ Ransomware Affected 16 U.S. Healthcare and First Responder Networks
By Jonathan Springston, Editor, Relias Media
In a flash issued late last week, the FBI announced a ransomware variant that has been causing headaches around the globe also affected some U.S. healthcare providers.
The agency identified 16 so-called “Conti” ransomware attacks in the United States that happened over the past year, affecting 290 organizations tied to emergency medical services, 911 dispatchers, law enforcement, first responders, and various municipalities.
The Conti variant operates much like similar ransomware strains — bad actors steal information, lock out everyone in the organization by encrypting servers and workstations, and demand a payment in exchange for returning access. If the ransom is not paid, the Conti actors threaten to release sensitive data publicly. The FBI estimates the Conti ransom demands could go as high as $25 million.
“The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the agency wrote in its flash. “However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. The agency recommends reporting suspected ransomware attacks to a local field office for additional guidance.
The agency listed 14 security recommendations to help healthcare organizations prevent and manage attacks. These include the typical (e.g., use multifactor authentication, strong passwords that change regularly) to more far-reaching (e.g., disable unused remote access/RDP ports and monitor remote access/RDP logs, implement network segmentation). Segmentation includes saving multiple copies of sensitive information on physical servers located in a different, secure location.
“Conti actors use remote access tools, which most often beacon to domestic and international virtual private server infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors may use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers,” the FBI explained. “Other indicators of Conti activity include the appearance of new accounts and tools — particularly Sysinternals, which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system beacons, and disabled endpoint detection.”
For more about this and related subjects, be sure to check out issues of Healthcare Risk Management and its quarterly supplement, HIPAA Regulatory Alert.