FBI warns of Conti ransomware attacks against healthcare organizations

Healthcare and first responder networks needs to be on guard for a seamless sequence of ransomware attacks uncovered by the FBI. In an alert published last Thursday, the company mentioned that it discovered a minimum of 16 Conti ransomware attacks against legislation enforcement businesses, emergency medical providers, 911 dispatch facilities and municipalities inside the previous 12 months.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

On a primary stage, Conti works like different ransomware strains. The attackers achieve entry to a company’s community, encrypt delicate recordsdata after which demand cost from the sufferer. The ransom word tells victims to pay the cash by way of an internet portal.

If the ransom calls for aren’t met, the attackers then both promote the info or publish the recordsdata to their very own public web site. Though ransom quantities range based mostly on the attacked group, some calls for have gone as excessive as $25 million.

More particularly, Conti attacks sometimes steal community entry by way of malicious e mail hyperlinks and attachments or hijacked Remote Desktop Protocol (RDP) credentials. The malicious file attachments usually come as Word paperwork with embedded Powershell scripts that set up the Emotet malware onto the community, opening the door for the ransomware.

To hack right into a community, the attackers use distant entry instruments that beacon to home and worldwide digital personal servers (VPS) utilizing ports 80, 443, 8080 and 8443. They may use port 53 for persistent connections.

To transfer across the community, the attackers undertake any accessible built-in instructions after which add third-party instruments similar to Microsoft’s Sysinternals and Mimikatz. Some criminals have been noticed inside a community for anyplace between 4 days and three weeks earlier than deploying the precise ransomware to exfiltrate and encrypt the mandatory recordsdata.

After the ransomware has been deployed, the attackers might stay within the community and beacon out utilizing AnchorDNS. If the sufferer would not reply to the ransom word inside two to eight days, the criminals might name the group utilizing single-use Voice Over Internet Protocol (VOIP) numbers or e mail them utilizing ProtonMail.

Healthcare and first responder networks are among the many greater than 400 organizations around the globe hit by Conti, with greater than 290 positioned within the U.S., the FBI mentioned.

The coronavirus pandemic has elicited completely different responses from ransomware gangs. Some teams have vowed to not assault hospitals and healthcare businesses concerned in COVID-19 analysis and care. However, different teams have fortunately elevated their attacks against the healthcare sector, realizing that the outbreak has created extra stress and pressure on medical workers.

These varieties of attacks additionally influence a wide selection of individuals. Cyberattacks against emergency providers have an effect on the flexibility of first responders to supply care. They harm people in want of fast and important therapy. Attacks against legislation enforcement businesses can influence energetic investigations. And attacks against healthcare networks can impede entry to necessary data, affecting the therapy of sufferers and the privateness of medical information.

“Cyberattacks on these organizations are sadly not merely restricted to the digital realm,” mentioned Chris Clements, VP of options structure for Cerberus Sentinel. “They have spillover results that may impair and even utterly disrupt important care-giving operations and instantly influence affected person well being and security.”

Many healthcare organizations are weak to ransomware attacks on account of outdated and unsecure know-how.

“Healthcare as a vertical appears to have a disproportionally excessive quantity of legacy software program packages or medical tools constructed with legacy working methods similar to Windows 7 and even Windows XP that not obtain patches from Microsoft and have few if any mitigating controls which will defend them from being focused by right now’s newest exploits,” Clements mentioned.

To defend your group against ransomware, the FBI affords a number of suggestions.

• Regularly again up your crucial information. Air hole and password defend your backup copies offline. Make certain that any backups of crucial information aren’t accessible from the first system the place the info is saved.
• Set up community segmentation.
• Develop a restoration plan to keep up a number of copies of delicate information. Keep your crucial information and servers in a bodily separate location that is segmented and safe.
• Apply crucial safety patches and updates to your working methods, software program and firmware as quickly as potential.
• Implement multifactor authentication the place supported.
• Use robust passwords in your community methods and accounts. Avoid reusing passwords for a number of accounts.
• Disable any unused or pointless distant entry and RDP ports. Monitor your distant entry and RDP logs for any suspicious exercise.
• Require administrator credentials to put in key software program.
• Set up entry controls with least privilege in thoughts. Audit any consumer accounts which have administrative privileges.
• Regularly replace antivirus and anti-malware software program on all methods.
• Try to make use of solely safe networks and keep away from public Wi-Fi networks. Set up a VPN for distant entry.
• Consider including an e mail banner to messages that arrive from exterior your group.
• Disable hyperlinks in obtained emails.
• Implement cybersecurity consciousness and coaching. Train your customers on data safety methods and on rising cybersecurity dangers and vulnerabilities.

“To defend themselves and their sufferers, these organizations should undertake a real tradition of safety that goes past assembly the naked minimal compliance necessities and likewise takes into consideration the distinctive challenges of this trade,” Clements mentioned. “It’s essential to implement safety consciousness coaching for personnel, system and utility hardening as half of IT’s processes, steady monitoring for proof of compromise or suspicious insider conduct, and at last common penetration testing to make sure that no gaps within the safety life-cycle exist that may expose methods or information to compromise.”

A recent report from security firm Sophos additionally offers a number of good tips about what to do when you’ve been hit by a Conti ransomware assault.

Also see