FBI Warns of Conti Ransomware Attacks on U.S. Healthcare Networks

FBI Warns of Conti Ransomware Attacks on US Healthcare Networks

At least 16 Conti ransomware attacks on U.S. healthcare and first responder networks have been identified by the Federal Bureau of Investigation (FBI). These entities include government authorities such as law enforcement agencies, first responders, and the 911 system. As medical services sought to manage the COVID-19 outbreak, attacks took place in the previous year.

According to a bulletin released by the FBI, a form of widely known Conti ransomware has affected the U.S. health care system and the American medical sector as a whole. The attacks have delayed or completely disrupted healthcare delivery, putting patients in danger and disrupting local communities that rely on hospital’s availability.

Ransomware Threat To Law Enforcements and Health Systems

Conti is only one of over a dozen ransomware gangs targeting health systems, public and private companies, and critical infrastructure organizations. The ransomware attacks link back to a persistent Russian threat, called Wizard Spider, operating underneath the ransomware-as-a-service model (RaaS). The version also shares Ryuk ransomware‘s code. Others are Maze, Nefilim, and Sodinokibi, which attributes to several successful ransomware penetrations.

The Conti ransomware gang has been responsible in mid-May for the ransomware attacks against the Irish health sector. They asked for a ransom of US$20 million, intending to reveal 700 GB of information if the Irish health sector did not fulfill the ransom. It is not known whether the ransom requirement was paid. In addition, the FBI announced that there are more than 400 organizations targeted by these perpetrators worldwide.


Our Incident Response Team is able to mitigate the risks of ransomware and refine the security posture of your organization in a swift manner during the time of an incident. Our expert team will provide a fast and effective response that can help minimize the damage and cost associated with ransomware and cyber extortion attacks. Being compromised became life certainty.


How Conti Ransomware Attacks Plays Out

Classic Conti ransomware attacks occur when bad actors penetrate networks via weaponized malicious email links, attachments, or remote desktop credentials. They modify Word documents with embedded Powershell scripts. Then it stages Cobalt Strike using the Word file and deploys Emotet into the network, giving these bad actors control to the ransomware rollout.

The cybercriminal gangs also utilize dynamic-link libraries (DLLs) to distribute ransomware. They use already available technologies inside the network. Furthermore, they subsequently increase privileges with Windows Sysinternals and Mimikatz tools. Where further resources are required, bad actors use Trickbot in some circumstances. After they deploy the ransomware, they can stay in the network and light up with an Anchor DNS. Conti’s hacking tools interact using ports 80, 443, 8080, and 8443. They also employ cloud storage services to send enormous amounts of data while avoiding endpoint detection.

FBI Discourages Anyone To Pay The Ransom

According to the FBI, if the victim does not reply to the ransom demands within two to eight days of the ransomware’s deployment, Conti actors will frequently call the victim using single-use Voice Over Internet Protocol (VOIP) numbers. The cybercriminals may also interact with the victim using ProtonMail, and wherein in some cases, victims negotiate a lower ransom.

However, the FBI does not suggest paying a ransom of any kind. Payment does not imply the recovery of files in all cases. Decryption keys are not guaranteed to function, and each successful extortion attempt increases the level of ransomware-related criminal behavior in society. It can also empower adversaries to target more enterprises. Moreover, it can motivate other criminal actors to disseminate ransomware and provide funding for unlawful activities.

Countermeasures For A Ransomware Attack

It is strongly advised that targeted institutions back up their data regularly and retain copies offline. This technique will help them recover quickly following any cybersecurity incident while avoiding the loss of crucial data. Network segmentation, the installation of security patches and upgrades, and the use of multifactor authentication and strong passwords are all effective defenses. Deactivating unused VPN protocols also prohibits hackers from using them to carry out ransomware attempts.

It would also be prudent to provide frequent security awareness training for employees. Likewise, a system and application hardening as part of I.T. operations can be done to make defenses strong. Continual monitoring for evidence of penetration or questionable insider behavior is another strategic move to fight infiltration like Conti ransomware attacks. Furthermore, continuous testing to expose system vulnerabilities across the cybersecurity defenses is critical.




1. https://www.aha.org/fbi-tlp-alert/2021-05-20-fbi-tlp-white-flash-report-conti-ransomware-attacks-impact-healthcare-and
2. https://www.aha.org/advisory/2021-05-21-fbi-issues-conti-ransomware-alert-high-impact-global-attacks-persist-against