Healthcare and first responder networks should be on guard for a continuing series of ransomware attacks uncovered by the FBI. In an alert published last Thursday, the agency said that it found at least 16 Conti ransomware attacks against law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities within the past year.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
On a basic level, Conti works like other ransomware strains. The attackers gain access to an organization’s network, encrypt sensitive files and then demand payment from the victim. The ransom note tells victims to pay the money through an online portal.
If the ransom demands aren’t met, the attackers then either sell the data or publish the files to their own public website. Though ransom amounts vary based on the attacked organization, some demands have gone as high as $25 million.
More specifically, Conti attacks typically steal network access through malicious email links and attachments or hijacked Remote Desktop Protocol (RDP) credentials. The malicious file attachments often come as Word documents with embedded Powershell scripts that install the Emotet malware onto the network, opening the door for the ransomware.
To hack into a network, the attackers use remote access tools that beacon to domestic and international virtual private servers (VPS) using ports 80, 443, 8080 and 8443. They may also use port 53 for persistent connections.
To move around the network, the attackers adopt any available built-in commands and then add third-party tools such as Microsoft’s Sysinternals and Mimikatz. Some criminals have been observed inside a network for anywhere between four days and three weeks before deploying the actual ransomware to exfiltrate and encrypt the necessary files.
After the ransomware has been deployed, the attackers may remain in the network and beacon out using AnchorDNS. If the victim doesn’t respond to the ransom note within two to eight days, the criminals may call the organization using single-use Voice Over Internet Protocol (VOIP) numbers or email them using ProtonMail.
Healthcare and first responder networks are among the more than 400 organizations around the world hit by Conti, with more than 290 located in the U.S., the FBI said.
The coronavirus pandemic has elicited different responses from ransomware gangs. Some groups have vowed not to attack hospitals and healthcare agencies involved in COVID-19 research and care. However, other groups have happily increased their attacks against the healthcare sector, knowing that the outbreak has created more stress and strain on medical staff.
These types of attacks also impact a wide array of people. Cyberattacks against emergency services affect the ability of first responders to provide care. They hurt individuals in need of quick and vital treatment. Attacks against law enforcement agencies can impact active investigations. And attacks against healthcare networks can impede access to important information, affecting the treatment of patients and the privacy of medical data.
“Cyberattacks on these organizations are unfortunately not simply limited to the digital realm,” said Chris Clements, VP of solutions architecture for Cerberus Sentinel. “They have spillover effects that can impair or even completely disrupt vital care-giving operations and directly impact patient health and safety.”
Many healthcare organizations are vulnerable to ransomware attacks due to outdated and unsecure technology.
“Healthcare as a vertical seems to have a disproportionally high number of legacy software packages or medical equipment built with legacy operating systems such as Windows 7 or even Windows XP that no longer receive patches from Microsoft and have few if any mitigating controls that may protect them from being targeted by today’s latest exploits,” Clements said.
To protect your organization against ransomware, the FBI offers several recommendations.
- Regularly back up your critical data. Air gap and password protect your backup copies offline. Make sure that any backups of critical data aren’t accessible from the primary system where the data is stored.
- Set up network segmentation.
- Develop a recovery plan to maintain multiple copies of sensitive data. Keep your critical data and servers in a physically separate location that’s segmented and secure.
- Apply critical security patches and updates to your operating systems, software and firmware as soon as possible.
- Implement multifactor authentication where supported.
- Use strong passwords for your network systems and accounts. Avoid reusing passwords for multiple accounts.
- Disable any unused or unnecessary remote access and RDP ports. Monitor your remote access and RDP logs for any suspicious activity.
- Require administrator credentials to install key software.
- Set up access controls with least privilege in mind. Audit any user accounts that have administrative privileges.
- Regularly update antivirus and anti-malware software on all systems.
- Try to use only secure networks and avoid public Wi-Fi networks. Set up a VPN for remote access.
- Consider adding an email banner to messages that arrive from outside your organization.
- Disable hyperlinks in received emails.
- Implement cybersecurity awareness and training. Train your users on information security techniques and on emerging cybersecurity risks and vulnerabilities.
“To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Clements said. “It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise.”
A recent report from security firm Sophos also provides several good tips on what to do if you’ve been hit by a Conti ransomware attack.