PRESS RELEASE
The following data is being supplied by the FBI, with no ensures or warranties, for potential use on the sole discretion of recipients with a purpose to shield in opposition to cyber threats. This knowledge is supplied to assist cyber safety professionals and system directors guard in opposition to the persistent malicious actions of cyber actors.
The FBI has recognized at the very least 16 Conti ransomware assaults focusing on U.S. healthcare and first responder networks, together with regulation enforcement businesses, emergency medical providers, 9-1-1 dispatch facilities, and municipalities throughout the final 12 months. These healthcare and first responder networks are among the many greater than 400 organizations worldwide victimized by Conti, over 290 of that are situated within the U.S.
Like most ransomware variants, Conti sometimes steals victims’ information and encrypts the servers and workstations in an effort to pressure a ransom cost from the sufferer. The ransom letter instructs victims to contact the actors by means of an internet portal to finish the transaction. If the ransom shouldn’t be paid, the stolen knowledge is bought or revealed to a public web site managed by the Conti actors. Ransom quantities differ broadly and, we assess, are tailor-made to the sufferer. Recent ransom calls for have been as excessive as $25 million.
Cyber assaults focusing on networks utilized by emergency providers personnel can delay entry to real-time digital data, growing security dangers to first responders, and will endanger the general public who depend on requires service to not be delayed. Loss of entry to regulation enforcement networks could impede investigative capabilities and create prosecution challenges. Targeting healthcare networks can delay entry to very important data, doubtlessly affecting care and therapy of sufferers, together with cancellation of procedures, rerouting to unaffected services, and compromise of protected well being data.
Technical Details
Conti actors achieve unauthorized entry to sufferer networks by means of weaponized malicious e-mail hyperlinks, attachments, or stolen distant desktop protocol credentials. Conti weaponizes Word paperwork with embedded Powershell scripts, initially staging Cobalt Strike by way of the Word paperwork after which dropping Emotet onto the community, giving the actor entry to deploy ransomware.
Actors are noticed contained in the sufferer community between 4 days and three weeks on common earlier than deploying Conti ransomware, primarily utilizing dynamic-link libraries (DLLs) for supply. The actors first use instruments already obtainable on the community, after which add instruments as wanted, comparable to Windows Sysinternals1 and Mimikatz to escalate privileges and transfer laterally by means of the community earlier than exfiltrating and encrypting knowledge.2 In some instances the place extra sources are wanted, the actors additionally use Trickbot.3 Once Conti actors deploy the ransomware, they could keep within the community and beacon out utilizing Anchor DNS.
If the sufferer doesn’t reply to the ransom calls for two to eight days after the ransomware deployment, Conti actors typically name the sufferer utilizing single-use Voice Over Internet Protocol (VOIP) numbers. The actors may additionally talk with the sufferer utilizing ProtonMail, and in some cases victims have negotiated a diminished ransom.
Indicators
Conti actors use distant entry instruments, which most frequently beacon to home and worldwide digital personal server (VPS) infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors could use port 53 for persistence. Large HTTPS transfers go to cloud-based knowledge storage suppliers MegaNZ and pCloud servers. Other indicators of Conti exercise embody the looks of recent accounts and instruments—notably Sysinternals—which weren’t put in by the group, in addition to disabled endpoint detection and fixed HTTP and area title system (DNS) beacons, and disabled endpoint detection.
Information Requested
The FBI is in search of any data that may be shared, to incorporate boundary logs exhibiting communication to and from overseas IP addresses, Bitcoin pockets data, the decryptor file, and/or a benign pattern of an encrypted file.
The FBI doesn’t encourage paying ransoms. Payment doesn’t assure information can be recovered. It may additionally embolden adversaries to focus on extra organizations, encourage different felony actors to have interaction within the distribution of ransomware, and/or fund illicit actions. However, the FBI understands that when victims are confronted with an lack of ability to perform, all choices are evaluated to guard shareholders, staff and clients. Regardless of whether or not you or your group have determined to pay the ransom, the FBI urges you to promptly report ransomware incidents to your native area workplace or the FBI’s 24/7 Cyber Watch (CyWatch). Doing so offers the FBI with crucial data wanted to stop future assaults by figuring out and monitoring ransomware attackers and holding them accountable below U.S. regulation.
Recommended Mitigations
- Regularly again up knowledge, air hole, and password-protect backup copies offline. Ensure copies of crucial knowledge aren’t accessible for modification or deletion from the system the place the info resides.
- Implement community segmentation.
- Implement a restoration plan to keep up and retain a number of copies of delicate or proprietary knowledge and servers in a bodily separate, segmented, safe location (i.e., laborious drive, storage machine, the cloud).
- Install updates/patch working methods, software program, and firmware as quickly as they’re launched.
- Use multifactor authentication the place attainable.
- Use sturdy passwords and often change passwords to community methods and accounts, implementing the shortest acceptable timeframe for password adjustments. Avoid reusing passwords for a number of accounts.
- Disable unused distant entry/RDP ports and monitor distant entry/RDP logs.
- Require administrator credentials to put in software program.
- Audit consumer accounts with administrative privileges and configure entry controls with least privilege in thoughts.
- Install and often replace antivirus and antimalware software program on all hosts.
- Only use safe networks and keep away from utilizing public Wi-Fi networks. Consider putting in and utilizing a VPN.
- Consider including an e-mail banner to messages coming from exterior your organizations.
- Disable hyperlinks in acquired e-mails.
- Focus on cybersecurity consciousness and coaching. Regularly present customers with coaching on data safety rules and strategies in addition to total rising cybersecurity dangers and vulnerabilities (i.e., ransomware and phishing scams).
Reporting Notice
The FBI encourages recipients of this doc to report data regarding suspicious or felony exercise to their native FBI area workplace or the FBI’s 24/7 Cyber Watch (CyWatch). Field workplace contacts could be recognized at www.fbi.gov/contact-us/field-offices. CyWatch could be contacted by cellphone at (855) 292-3937 or by e-mail at [email protected]. When obtainable, every report submitted ought to embody the date, time, location, kind of exercise, variety of folks, and sort of kit used for the exercise, the title of the submitting firm or group, and a delegated level of contact.
References
1. Windows Sysinternals provides technical sources and utilities to handle, diagnose, troubleshoot, and monitor a Microsoft Windows setting.
2. Mimikatz is an open-source utility that enables customers to view and save authentication credentials.
3. TrickBot is a sophisticated Trojan that malicious actors unfold primarily by spearphishing campaigns utilizing tailor-made emails that comprise malicious attachments or hyperlinks, which if enabled execute malware. The attackers can use TrickBot to additionally drop different malware, together with Conti ransomware.
