[BreachExchange] FBI Warns Healthcare Sector of Conti Ransomware Attacks

[Audrey McNeil]

https://www.databreachtoday.com/fbi-warns-healthcare-sector-conti-ransomware-attacks-a-16728

The FBI is warning healthcare organizations and first responder networks
about Conti ransomware attacks, advising them to take measures to help
prevent becoming a victim.

The bureau's flash alert comes on the heels of a recent Conti attack on
Ireland's Health Service Executive, the nation's state-run health services
provider, as well as the May 1 malware attack on San Diego-based Scripps
Health. The California organization has not confirmed reports that its
incident involved Conti ransomware (see: The Rising Threats to EHR Data
Integrity).

Scripps Health did not immediately respond to Information Security Media
Group's request for comment and an update on its recovery efforts.

In February, the Conti ransomware gang also reportedly leaked sensitive
patient data, as well as employee records, on a darknet site following
attacks on Miami-based Leon Medical Centers and Nocona (Texas) General
Hospital (see: Patient Files Dumped on Darknet Site After Hacking
Incidents).

FBI: 16 Attacks

The FBI says it has identified at least 16 Conti ransomware attacks
targeting U.S. healthcare and first responder networks - including law
enforcement agencies, emergency medical services, 911 dispatch centers and
municipalities - within the last year.

"These healthcare and first-responder networks are among the more than 400
organizations worldwide victimized by Conti, over 290 of which are located
in the U.S.," the FBI notes. "Like most ransomware variants, Conti
typically steals victims’ files and encrypts the servers and workstations
in an effort to force a ransom payment from the victim."

Targeting healthcare networks can delay access to vital information,
potentially affecting care and treatment of patients by leading to
cancellation of procedures, rerouting of patients to unaffected facilities
and compromise of protected health information, the alert notes.

Coordinated Campaign

The American Hospital Association on Friday called upon the federal
government "to embark upon a coordinated campaign that will use all
diplomatic, financial, law enforcement, intelligence and military cyber
capabilities to disrupt these criminal organizations and seize their
illegal proceeds, as was done so effectively during the global fight
against terrorism."

The AHA says that while it commends the government’s efforts to share
timely and actionable cyberthreat intelligence, "relying on victimized
organizations to individually defend themselves against these attacks is
not the solution to this national strategic threat."

The vast majority of these attacks originate from outside the U.S., the AHA
says, "often beyond the reach of U.S. law enforcement, where ransomware
gangs are provided safe harbor and allowed to operate with impunity,
sometimes with the active assistance of adversarial nations."

The U.S. government recently worked with other nations to take down two of
the largest ransomware groups: Netwalker and Egregor, says Bryan Oliver,
senior analyst at security firm Flashpoint. "However, the government is
also aware that when lives are at stake, all options should be on the table
to protect the welfare of hospital patients."

Ransom Demands

Conti ransom letters instruct victims to contact the attackers through an
online portal to pay a ransom, the FBI notes. "If the ransom is not paid,
the stolen data is sold or published to a public site controlled by the
Conti actors. Ransom amounts vary widely and we assess are tailored to the
victim. Recent ransom demands have been as high as $25 million."

The FBI reiterated in its alert that it recommends organizations do not pay
ransoms because payment does not guarantee files will be recovered and also
emboldens cybercriminals to wage further attacks.

"However, the FBI understands that when victims are faced with an inability
to function, all options are evaluated to protect shareholders, employees
and customers," the bureau states. "Regardless of whether you or your
organization have decided to pay the ransom, the FBI urges you to promptly
report ransomware incidents to your local field office or the FBI’s 24/7
Cyber Watch."

"More than anything, organizations need to do two things - reduce their
risk of becoming a victim of a ransomware attack by implementing additional
security controls within their environment and prepare … for when an
incident such as a ransomware attack occurs to decrease the impact and
likelihood that payment will need to be made," says Riley Stauffer, a
security analyst at consultancy Pondurance.

The FBI is encouraging organizations to share information about Conti
attacks, including boundary logs "showing communication to and from foreign
IP addresses, bitcoin wallet information, the decryptor file, and/or a
benign sample of an encrypted file."

Conti Gang's Methods

Attackers using Conti ransomware gain unauthorized access to victim
networks through weaponized malicious email links, attachments, or stolen
Remote Desktop Protocol credentials, the alert notes.

"Conti weaponizes Word documents with embedded Powershell scripts,
initially staging Cobalt Strike via the Word documents and then dropping
Emotet onto the network, giving the actor access to deploy ransomware," the
FBI says. "Actors are observed inside the victim network between four days
and three weeks on average before deploying Conti ransomware, primarily
using dynamic-link libraries for delivery."

The attackers first use tools already available on the network, and then
add tools as needed, such as Windows Sysinternals and Mimikatz, to escalate
privileges and move laterally through the network before exfiltrating and
encrypting data, the FBI says.

"In some cases where additional resources are needed, the actors also use
Trickbot," the alert says. "Once Conti actors deploy the ransomware, they
may stay in the network and beacon out using Anchor DNS."

If the victim does not respond to the ransom demands two to eight days
after the ransomware deployment, the attackers often call the victim using
single-use Voice Over Internet Protocol numbers, the FBI says. The
attackers "may also communicate with the victim using ProtonMail, and in
some instances victims have negotiated a reduced ransom," the alert notes.

Decryptor Provided

After the attack on Irish Health Services Executive, Conti attackers last
week gave the organization a decryptor, which government officials are
testing to see if it's safe to put to use. Meanwhile, the gang is
reportedly threatening to release 700GB of stolen patient data unless HSE
pays a $20 million ransom.

The Irish Medical Times reports that some patients whose data was affected
by the Ireland attack report receiving phishing phone calls, supposedly
from a hospital, asking for bank details in order to "refund" money.

Indicators to Watch

The FBI notes that the Conti gang uses remote access tools, "which most
often beacon to domestic and international virtual private server
infrastructure over ports 80, 443, 8080, and 8443." Additionally, the
attackers may use port 53 "for persistence," the alert says.

"Large HTTPS transfers go to cloud-based data storage providers MegaNZ and
pCloud servers," the alert says.

Additional indicators of Conti activity include "the appearance of new
accounts and tools - particularly Sysinternals - which were not installed
by the organization, as well as disabled endpoint detection and constant
HTTP and domain name system beacons, and disabled endpoint detection," the
FBI says.

Hiding in Plain Sight

The Conti gang "has become so comfortable in what they are doing it appears
that they are 'hiding in plain sight' without fear of consequences or law
enforcement pressure," says retired supervisory FBI agent Jason G. Weiss,
who's now an attorney at law firm Faegre Drinker Biddle & Reath LLP.

"They have learned to hit us in what they perceive as a weak spot that
forces the [victims] to pay the ransom out of risk to the health and
welfare" of affected individuals, he says. "From a defensive standpoint, it
feels like the healthcare industry has fallen into the trap that the FBI
always warned us about when doing our defensive tactics training: 'Don’t
bring a knife to a gun fight.'"

Oliver of Flashpoint notes: "Historically, there has been a lack of
agreement among ransomware groups as to whether to attack the healthcare
sector." Of all currently active ransomware groups with leak sites, Conti
appears to claim the greatest number of healthcare victims, he adds.

Weiss predicts the healthcare sector and other elements of the nation's
critical infrastructure will see a rise in other nefarious cyberattacks,
including devastating “disruptionware attacks."

"Money is not the only incentive for these types of attacks. There are
incentives that include destroying possible competition and attacking
supply lines. And in certain situation, ransomware gangs or nation-states
may attempt to weaken or destroy American industries," he says.

"Time will tell whether these attacks increase in size and scope. It is my
belief that they will, because until we show we can stop it, it just won't
stop."

Mitigation Measures

The FBI alert lists a number of recommended mitigations for preventing and
recovering from ransomware incidents. Those include regularly backing up
data, air gapping and password protecting backup copies offline.

Also, organizations should ensure copies of critical data are not
accessible for modification or deletion from the system where the data
resides.

Other measures include implementing network segmentation as well as a
recovery plan to maintain and retain multiple copies of sensitive or
proprietary data and servers in a physically separate, segmented, secure
location.

Entities should also install updates and patch operating systems, software
and firmware as soon as they are released and use multifactor
authentication where possible, the FBI stresses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/094c1df6/attachment.html>