The FBI reported that the Conti group that recently hit the Irish health system was responsible for at least 16 ransomware attacks during the past year that targeted U.S. health care and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers, and municipalities.
According to the FBI, these health care and first responder networks are among the more than 400 organizations worldwide victimized by Conti – and over 290 are located in the U.S.
Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom does not get paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and the FBI assesses are tailored to the victim. Recent ransom demands have been as high as $25 million.
Ransomware groups like Conti actors will keep popping up and gain sophistication with every organization that pays, said Joseph Neumann, cyber executive advisor at Coalfire. Neumann said hitting first responders and hospitals are good targets because of the pressing need to get back into service after an attack.
“Even if these organizations have a solid plan to get back to normal, it might be slower than paying the ransomware,” Neumann said. “As seen from the Colonial pipeline incident that’s still affecting gas prices and demand, restoration of service is slow even when the ransom gets paid. Additionally, the huge reported payout will only give these attackers more equity to continue improving their infrastructure and attract new and better talent.”
Oliver Tavakoli, CTO at Vectra, said while each of the active ransomware groups has its own particular collection of tools, many of those tools are well-known and pedestrian. Tavakoli said the FBI report mentions Mimikatz, a tool created in 2007. And elements of Cobalt Strike were also used in the SolarWinds supply chain hack.
“Stolen RDP credentials are leveraged by multiple ransomware groups, and encrypting data to cause operational mayhem and extorting ransoms via hard-to-trace cryptocurrencies is the relatively recent phenomenon,” Tavakoli said. “While there can be concerted governmental efforts to temporarily disrupt certain ransomware groups, businesses have to get much better at recognizing a spike of dangerous signals in their environments and stop the attacks before exfiltration and encryption begins.”
