Ransomware Groups are Targeting Healthcare and First Responders
In May 2021, the Federal Bureau of Investigation released a statement stating that the group of extortionists who were responsible for the ransomware attack on Irish hospitals is responsible for exploiting at least 16 healthcare sectors and first responder networks, including emergency medical services, law enforcement services, 911 dispatchers, and municipalities in the span of a year.
The ransomware attacks targeting the healthcare and first responders sectors are among a more widespread Conti campaign, which has already obtained over 400 victims worldwide — with over 290 in the United States alone. The FBI is alerting healthcare entities to review the recent publicized FBI alert for insights into the attacks and any indicators that their networks have been compromised.
According to the alert, “Cyber attacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed.” The alert added, “Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”
Conti Ransomware Attacks
When any of these networks are impacted by the ransomware attacks, there could be long-lasting impacts on public health, and this is one of the main reasons it is so important for healthcare organizations and first responders to do everything possible to prevent ransomware attacks.
The recent attacks by Conti are typical, the FBI states. Victims’ files are stolen and the workstations and servers are encrypted to demand a ransom payment from the victim via an online source. The malicious actors will generally gain access to healthcare networks through malicious email links, malicious attachments, or stolen Remote Desktop Protocol credentials.
Conti uses Word documents that have been embedded with Powershell scripts, initially staging Cobalt Strike via the Word documents and then placing Emotet onto the network, thus, allowing them to gain access to deploy ransomware. Emotet is a dangerous form of malware because not only does it release its own modules into a system, but it also releases other forms of malware that can result in additional malware. The malicious actors have been observed to be inside networks between four days and three weeks before the ransomware is actually deployed via dynamic-link libraries(DLLs).
The Conti group uses tools that are already accessible on the network, and any additional tools that are needed will be acquired, like Sysinternals and Mimikatz to escalate privileges and move laterally through the network before data is stolen and encrypted. There have also been cases where Trickbot is used.
If the victim of the attack fails to pay the ransom within a specific timeframe, the malicious actors will threaten to publicly release the data. If the victim fails to respond to the ransom demands, the actors will use single-use Voice over Internet Protocol (VoIP) numbers. According to the FBI alert, some recent ransom demands have been as high as $25 million.
Ireland Health Services
As mentioned previously, officials believe Conti was behind the attack on Ireland’s Health Service Execution (HSE) and Department of Health. The Conti ransomware group demanded the health system pay a $20 million ransom. The group later released a free decryptor for the HSE, but the group still threatened to release 700GB of stolen data to the public. However, Ireland’s Health Service Execution (HSE) was able to prevent encryption.
Should The Ransom Always Be Paid?
The FBI does not support paying ransom in response to any ransomware. As many businesses and organizations have found out, paying the ransom does not always guarantee that your data and/or operations will be restored. According to the recent FBI alert, “The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Paying the ransom can signal to the cybercriminals that ransomware attacks are great ways to make a sizable amount of money. The rise in ransomware attacks will continue to rise as more cybercriminals look to generate as much money as they can obtain from extortion. The government has taken a strong stance against paying ransoms to criminals, including when the government is a target of an attack. Paying the ransom will likely encourage more cybercriminals to continue using this approach because their demands are being met.
Indicators of Conti Ransomware
According to the FBI, the Conti ransomware group is one of many groups that utilize triple extortion methods, including using VoIP phone numbers or communicating via ProtonMail. The FBI noted that some victims have been able to negotiate smaller ransoms. Conti actors use remote access tools that will beacon to domestic and international virtual private server (VPS) infrastructure via the following ports:
- 80
- 443
- 8080
- 8443
The larger HTTPS transfers will generally go to cloud-based storage providers MegaNZ and pCloud servers. Conti activity can be spotted inside networks by noticing any new accounts or new tools that were not knowingly installed by anyone within the organization. Additional indicators of Conti ransomware include disabled endpoint protection and constant HTTPS and domain name system (DNS) beacons.
Recommended Actions
Healthcare entities are encouraged to review their strategies, policies, and procedures to ensure they are utilizing the best practices when it comes to defense and security protection, including doing the following:
- Multi-factor authentication
- Network segmentation
- Routine backups
- Patch management
- Backup and disaster recovery plans
- Password protection for offline backups
- Ensure copies of critical data are not easily accessible
- Ensure all updates, patches, operating systems, software, firmware, are all installed as soon as they are released
A ransomware attack can be a business-altering impact on any business or organization, regardless of its size. Despite your best efforts and best practices, cybercriminals are smart, and they have access to sophisticated and advanced tools. If ransomware does enter any of your systems, you need to know what to do so you can respond quickly.
Not only have there been attacks on healthcare organizations and first responders, but there has also been a string of other cybercrimes, threats, and ransomware attacks on businesses across a variety of industries. President Joe Biden recently released an Executive Order on Cybersecurity. The EO includes directives for businesses, agencies, and organizations to follow to successfully develop best practices and implement better security standards.
Taking the proper steps can help your safeguard your business and your vital assets, especially your sensitive and confidential data. Prevention techniques can give you an advantage over cybercriminals, even the most intelligent and skillful ones. Are you prepared to educate your team and give your Minnesota business the level of protection it needs?
At On-site Computers Inc., we offer the protection your Minnesota needs from any ransomware attack or other cyber-related threat. For more information on ransomware and what IT services and solutions we can provide your business in Minnesota, please do not hesitate to contact us today.
A ransomware attack can happen at any time, especially when you least expect it. To ensure the safety and protection of your data, you need systems that can support the best security implementation. There are no boundaries to ransomware, like any type of cybercrime.
Call us today at (800) 669-8513. We are here to help. Ransomware attacks continue to rise, and it is important to understand the consequence of ransomware incidents and how they can impact your business today and in the future. Reach out to us today to find out how we can be the IT partner you need to navigate the recent notices and changes in cybersecurity and risk assessments.
