peshkov - stock.adobe.com

CISA, FBI, NSA Release Advisory Warning of Conti Ransomware Attacks

Conti ransomware group successfully attacked at least 16 healthcare sector and first responder networks in the last year and continues to be a significant threat.

The Cybersecurity and Infrastructure Agency (CISA), the FBI, and the National Security Agency (NSA) released an advisory warning organizations of Conti ransomware group, a notorious hacking organization that has claimed responsibility for over 400 cyberattacks across the US and internationally.

The advisory noted that Conti actors typically gain access to networks through spearphishing campaigns using malicious email attachments and links, phone calls, fake software promotions, stolen or weak Remote Desktop Protocol (RDP) credentials, and common vulnerabilities.

In May, the FBI released a flash alert warning healthcare organizations and first responder networks about Conti and its threat to the healthcare sector. The FBI identified at least 16 Conti ransomware attacks against the US healthcare sector within the past year.

In February, Conti released two healthcare data dumps on the dark web after infiltrating the networks of Leon Medical Centers and Nocona General Hospital. In May, Rehoboth McKinley Christian Health Care Services (RMCHCS) notified over 200,000 patients of a data leak caused by Conti ransomware actors.

The joint advisory emphasized that Conti has been known to use a variety of technical tactics to exploit organizations. The threat actors are known to use tools already available on the victim’s network to exploit the organization and take advantage of unpatched systems and vulnerabilities.

“The Russian speaking Conti ransomware gang has been implicated in some of the most disruptive ransomware attacks targeting hospitals and health systems this year,” John Riggi, AHA senior advisor for cybersecurity and risk, stated publicly.

“It’s continued use of the ‘double extortion’ method of ransom to demand payment for de-encryption of health data along with payment to not publicly release stolen health data jeopardizes patient privacy and patient safety.”

To mitigate risk, the FBI, CISA, and the NSA recommended that organizations require multi-factor authentication to remotely access networks. Organizations should also consider implementing network segmentation and filtering network traffic to prevent phishing emails from reaching users.

Scanning for vulnerabilities, removing any unnecessary applications, and implementing endpoint and detection response tools are crucial safeguards that organizations across all sectors should prioritize to prevent ransomware and phishing attacks.

As Conti and other known ransomware groups continue to threaten US critical infrastructure, agencies across the federal government have been releasing guidance and regulations in hopes of preventing future cyberattacks.

The US Treasury recently imposed sanctions on SUEX, a cryptocurrency exchange that allegedly facilitated ransomware payments on behalf of cybercriminals for its own financial gain. The action marks the first ever sanctions against a cryptocurrency exchange.

In conjunction with the sanctions, The Treasury’s Office of Foreign Assets Control (OFAC) also released an updated advisory warning companies and individuals of the potential consequences and penalties associated with facilitating ransomware payments.

“On the OFAC front, it is encouraging to see the government pursue and disrupt the illicit proceeds of these ransomware gangs,” Riggi continued.

“The OFAC advisory also reminds us that it is a ‘strict liability’ issue to pay ransom or facilitate payment through an OFAC designated entity. This civil and regulatory liability can only be mitigated through timely notification and cooperation with law enforcement by ransomware victims. This is another reason why guidance to not notify or cooperate with law enforcement is bad advice.”

Next Steps

Dig Deeper on Cybersecurity strategies