FBI Alert: Conti Ransomware Attacks Targeting U.S. Healthcare Networks

May 26, 2021
The Conti ransomware group was responsible for an attack earlier this month on Ireland’s healthcare system, according to reports

The FBI released an alert last week warning that Conti ransomware attacks have been targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. Specifically, the Bureau identified 16 such attacks targeting these organizations nationwide. 

These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S., according to the FBI bulletin. Like most ransomware variants, it noted, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction.

If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and are tailored to the victim. Recent ransom demands have been as high as $25 million, the FBI stated. The alert was made public on May 20 by the American Hospital Association (AHA).

The Conti ransomware group was responsible for an attack earlier this month on the Health Service Executive, the publicly funded healthcare system in the Republic of Ireland, causing a shutdown of its IT systems to protect against further damage. BBC reported late last week that the Conti group was allegedly asking the health service for $20 million to restore services after the "catastrophic hack.”

The Irish government insists it will not be paying the hackers, and while the criminals surprisingly have handed over a decryption key that will unlock the healthcare system’s computers, Conti is still threatening to publish or sell data it has stolen unless a ransom is paid, according to BBC. Getting the key is one step in the recovery process, but Irish Prime Minister Micheál Martin acknowledged that “enormous work is still required to rebuild the system overall,” BBC reported.

More specifically about the types of attacks from this group, the FBI stated that Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. It will weaponize Word documents “with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware,” the bulletin read.

According to the technology blog Engadget, “In cybersecurity circles, Conti is described as a human-operated ‘double extortion’ ransomware that steals and threatens to expose information as well as encrypting it. The gang behind the malware has published data stolen from at least 180 victims on its leak site.

If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers. The actors may also communicate with the victim using ProtonMail, and in some instances victims have negotiated a reduced ransom, the FBI reported.

Importantly, the FBI advises victims not to pay ransoms to the hackers. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Overall, the healthcare industry continues to struggle with proactively preventing ransomware attacks and then recovering once they do happen. As a result, healthcare data is becoming too easy a target for hackers.  One recent report from cybersecurity consulting firm Coveware found that ransomware attacks are intensifying across all U.S. industries, including healthcare. Indeed, the firm estimates that in the first quarter of 2021, nearly 12 percent of all ransomware attacks hit healthcare, putting the healthcare industry in a tie for second place, together with the public sector, and behind professional services at 24.9 percent, but far ahead of such industries as transportation (4.9 percent) real estate (3.6 percent), utilities (3.1 percent), and retailing (2.7 percent).

Another analysis from security company Comparitech revealed that throughout last year, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total is nearly $21 billion.

Sponsored Recommendations

AI-Driven Healthcare: Empowering Nurses, Clinicians, and Care Teams for Smarter, More Efficient Care

Explore how AI-first ThinkAndor® is transforming nursing workflows and patient care at Sentara, improving outcomes, reducing readmissions, and enhancing care transitions in this...

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...