On May 20, the Federal Bureau of Investigations (FBI) issued a flash warning that the Conti ransomware gang is a serious and persistent threat to medical and emergency services with the potential to disrupt care and treatment.
What is The Notice About?
ZDNet and SecurityAffairs reported that the FBI issued a public flash warning on May 20 that they have linked 16 ransomware attacks on first responder networks and medical services to the Conti ransomware gang. The FBI also warned that this single threat targeted 400 organizations, and 290 reside in the U.S.
The notice reads;
“The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.” “These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.”
ZDNet explains that some of the victims include “911 dispatch carriers, law enforcement agencies, and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the COVID-19 pandemic.”
In its notice, the FBI warns about the severe impact of further attacks:
“Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed.” continues the FBI’s alert. “Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges. Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”
Who is Conti?
Security Affairs described Conti as Ransomware-as-a-Service (RaaS) and noted that they set up shop in December 2019. They typically rely on TrickBot infections to distribute its malware. Threat experts believe that the perpetrators are Russia-based and known as a hacker group called Wizard Spider.
Back in August 2020, the group started using the well-known double-extortion technique, where they first encrypt and lock the data. Then they leak some exfiltrated details on their dark web leak site and threaten to release the rest if a second payment is not made on time. These types of groups always demand a ransom in the form of Bitcoin or other cryptocurrencies.
Security Affairs lists a few other recent victims of Conti “The list of victims of the group includes IoT chip maker Advantech, and Broward County Public Schools (BCPS), and Ireland’s Health Service Executive.”
The FBI warns that Conti may gain access to these networks by using stolen credentials, RDP, or phishing emails. They may also use Cobalt Strike, Mimikatz, Emotet, and Trickbot as part of their attacks.
“If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers. The actors may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom.”
Should Companies Pay?
The FBI suggests never to pay a ransom. Often decryption keys do not work, and the company is left without its data and out the ransom. Plus, the FBI feels that paying only encourages further ransomware activity.
Instead, the FBI suggests working closely with local law enforcement and federal agencies to investigate the issue and find those responsible. Sharing information like access logs, IP addresses, encrypted file samples, decryption keys, and cryptocurrency wallet details may help in the process.