The Federal Bureau of Investigation (FBI) has linked the Conti ransomware group to at least 16 attacks aimed at disrupting healthcare and first responder networks in the United States.
The targets identified include 911 dispatch carriers, law enforcement agencies, and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the COVID-19 pandemic.
According to the FBI’s flash advisory (.PDF), Conti has been connected to at least 400 cyberattacks against organizations worldwide, and 290, at minimum, are based in the US.
In what has become a popular tactic for ransomware operators to increase the chances of a payout, attackers will infiltrate a victim’s network, steal confidential files, and then launch ransomware. If blackmail demands — usually made in cryptocurrency such as Bitcoin (BTC) — are not met, organizations then face the prospect of their data being published or sold via a leak site.
The Conti ransomware group is one of dozens of double-extortion criminal collectives that operate leak sites, having joined the likes of Sodinokibi, Nefilim, and Maze last year.
Conti may use stolen credentials, RDP, or phishing campaigns to obtain initial access to a network. According to the FBI, the group may also use Cobalt Strike, Mimikatz, Emotet, and Trickbot alongside Conti ransomware during attacks.
“If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers,” the advisory reads. “The actors may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom.”
The FBI does not encourage victim organizations to pay up, as decryption keys are not guaranteed to work and each successful extortion attempt only encourages ransomware-related criminal activity.
However, whether or not a victim has paid, the FBI urges transparency to law enforcement agencies when ransomware incidents occur. When it comes to Conti specifically, the FBI has requested boundary logs showing links to IP addresses, cryptocurrency wallet information, any decryptor files available, as well as encrypted file samples,
Recently, the finger has been pointed at Conti for a debilitating ransomware attack on Ireland’s Health Service Executive (HSE) on May 14. Officials say that a ransomware demand of $20 million will not be paid, and while Conti has released an — unverified — decryption tool to the service, the group has still threatened to sell or leak HSE records allegedly stolen during the attack.
Dublin’s High Court has issued an injunction against Conti, under “persons unknown,” in an effort to stop the spread of stolen information.
At the time of writing, staff are still unable to access email, there are delays with issuing birth, death, and marriage certificates. The COVID-19 vaccination program is rolling out as normal but there may also be delays in receiving test results.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0