FBI warns of Conti ransomware attacks against healthcare organizations

Healthcare and first responder networks needs to be on guard for a seamless sequence of ransomware attacks uncovered by the FBI. In an alert printed final Thursday, the company mentioned that it discovered a minimum of 16 Conti ransomware attacks against legislation enforcement businesses, emergency medical providers, 911 dispatch facilities and municipalities inside the previous yr.

SEE: Ransomware: What IT execs have to know (free PDF) (TechRepublic)

On a primary stage, Conti works like different ransomware strains. The attackers acquire entry to a company’s community, encrypt delicate recordsdata after which demand cost from the sufferer. The ransom observe tells victims to pay the cash via a web-based portal.

If the ransom calls for aren’t met, the attackers then both promote the info or publish the recordsdata to their very own public web site. Though ransom quantities differ primarily based on the attacked group, some calls for have gone as excessive as $25 million.

More particularly, Conti attacks sometimes steal community entry via malicious electronic mail hyperlinks and attachments or hijacked Remote Desktop Protocol (RDP) credentials. The malicious file attachments typically come as Word paperwork with embedded Powershell scripts that set up the Emotet malware onto the community, opening the door for the ransomware.

To hack right into a community, the attackers use distant entry instruments that beacon to home and worldwide digital non-public servers (VPS) utilizing ports 80, 443, 8080 and 8443. They can also use port 53 for persistent connections.

To transfer across the community, the attackers undertake any out there built-in instructions after which add third-party instruments resembling Microsoft’s Sysinternals and Mimikatz. Some criminals have been noticed inside a community for wherever between 4 days and three weeks earlier than deploying the precise ransomware to exfiltrate and encrypt the required recordsdata.

After the ransomware has been deployed, the attackers could stay within the community and beacon out utilizing AnchorDNS. If the sufferer does not reply to the ransom observe inside two to eight days, the criminals could name the group utilizing single-use Voice Over Internet Protocol (VOIP) numbers or electronic mail them utilizing ProtonMail.

Healthcare and first responder networks are among the many greater than 400 organizations world wide hit by Conti, with greater than 290 situated within the U.S., the FBI mentioned.

The coronavirus pandemic has elicited totally different responses from ransomware gangs. Some teams have vowed to not assault hospitals and healthcare businesses concerned in COVID-19 analysis and care. However, different teams have fortunately elevated their attacks against the healthcare sector, figuring out that the outbreak has created extra stress and pressure on medical workers.

These sorts of attacks additionally impression a wide selection of individuals. Cyberattacks against emergency providers have an effect on the flexibility of first responders to supply care. They damage people in want of fast and important remedy. Attacks against legislation enforcement businesses can impression lively investigations. And attacks against healthcare networks can impede entry to vital data, affecting the remedy of sufferers and the privateness of medical information.

“Cyberattacks on these organizations are unfortunately not simply limited to the digital realm,” mentioned Chris Clements, VP of options structure for Cerberus Sentinel. “They have spillover effects that can impair or even completely disrupt vital care-giving operations and directly impact patient health and safety.”

Many healthcare organizations are susceptible to ransomware attacks attributable to outdated and unsecure expertise.

“Healthcare as a vertical seems to have a disproportionally high number of legacy software packages or medical equipment built with legacy operating systems such as Windows 7 or even Windows XP that no longer receive patches from Microsoft and have few if any mitigating controls that may protect them from being targeted by today’s latest exploits,” Clements mentioned.

To shield your group against ransomware, the FBI gives a number of suggestions.

• Regularly again up your important information. Air hole and password shield your backup copies offline. Make certain that any backups of important information aren’t accessible from the first system the place the info is saved.
• Set up community segmentation.
• Develop a restoration plan to keep up a number of copies of delicate information. Keep your important information and servers in a bodily separate location that is segmented and safe.
• Apply important safety patches and updates to your working methods, software program and firmware as quickly as attainable.
• Implement multifactor authentication the place supported.
• Use robust passwords in your community methods and accounts. Avoid reusing passwords for a number of accounts.
• Disable any unused or pointless distant entry and RDP ports. Monitor your distant entry and RDP logs for any suspicious exercise.
• Require administrator credentials to put in key software program.
• Set up entry controls with least privilege in thoughts. Audit any consumer accounts which have administrative privileges.
• Regularly replace antivirus and anti-malware software program on all methods.
• Try to make use of solely safe networks and keep away from public Wi-Fi networks. Set up a VPN for distant entry.
• Consider including an electronic mail banner to messages that arrive from exterior your group.
• Disable hyperlinks in obtained emails.
• Implement cybersecurity consciousness and coaching. Train your customers on data safety methods and on rising cybersecurity dangers and vulnerabilities.

“To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Clements mentioned. “It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise.”

Cybersecurity Insider Newsletter

Strengthen your group’s IT safety defenses by holding abreast of the newest cybersecurity information, options, and finest practices.
Delivered Tuesdays and Thursdays

Sign up right this moment

Also see