The Conti ransomware attacks have disrupted healthcare networks in the U.S. and abroad, according to the alert.
The FBI has issued an alert about a ransomware attack that has affected U.S. healthcare organizations and first responders, among more than 290 organizations in the U.S. and 400 worldwide targeted during the past year.
There have been at least 16 instances in which the Conti ransomware attack has hit healthcare networks. Organizations listed as being impacted include law enforcement agencies, emergency medical services, 9-1-1- dispatch centers and municipalities.
The American Hospital Association (AHA), which coordinated with the FBI to publish and release the alert, noted that the attacks have “resulted in regionally disruptive impacts to critical infrastructure, including hospitals and health systems in the United States and Ireland.”
“These ransomware attacks have delayed or disrupted the delivery of patient care and pose significant potential risks to patient safety and the communities that rely on hospitals’ availability,” the AHA stated.
More details about the attacks
The ransomware works in typical fashion, according to the FBI alert:
“Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely, and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.”
The alert also states, “Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments or stolen Remote Desktop Protocol (RDP) credentials.” The perpetrators use remote-access tools that “most often beacon to domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080 and 8443. Additionally, actors may use port 53 for persistence.”
Recommended mitigation steps
The FBI lists various preventive steps for organizations in response to the Conti attacks and other ransomware efforts:
- Regularly back up data, and air-gap and password-protect backup copies offline.
- Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
A broader security response is needed
The AHA states that “relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat,” especially given that most attacks originate from outside the U.S. and are beyond the reach of U.S. law enforcement.
What’s called for is a coordinated government campaign “that will use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations and seize their illegal proceeds, as was done so effectively during the global fight against terrorism.”
For more information, see the FBI alert.