The adversary behind Conti ransomware targeted no fewer than 16 healthcare and first responder networks in the U.S. within the past year, totally victimizing over 400 organizations worldwide, 290 of which are situated in the country.
That’s according to a new flash alert issued by the U.S. Federal Bureau of Investigation (FBI) on Thursday.
“The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year,” the agency said.
Ransomware attacks have worsened over the years, with recent targets as varied as state and local governments, hospitals, police departments, and critical infrastructure. Conti is one of many ransomware strains that have capitulated on that trend, commencing its operations in July 2020 as a private Ransomware-as-a-Service (RaaS), in addition to jumping on the double extortion bandwagon by launching a data leak site.
Based on an analysis published by ransomware recovery firm Coveware last month, Conti was the second most prevalent strain deployed, accounting for 10.2% of all the ransomware attacks in the first quarter of 2021.
Infections involving Conti have also breached the networks of Ireland’s Health Service Executive (HSE) and Department of Health (DoH), prompting the National Cyber Security Centre (NCSC) to issue an alert of its own on May 16, stating that “there are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans.”
Conti operators are known for infiltrating enterprise networks and spreading laterally using Cobalt Strike beacons prior to exploiting compromised user credentials to deploy and execute the ransomware payloads, with the encrypted files renamed with a “.FEEDC” extension. Weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials are some of the tactics the group used to gain an initial foothold on the target network, the FBI said.
“The actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware,” the agency noted, adding the ransom amounts are tailored to each victim, with recent demands ratcheting up to as high as $25 million.
The alert also comes amid a proliferation of ransomware incidents in recent weeks, even as extortionists continue to seek exorbitant prices from companies in hopes of landing a huge, quick payday. Insurance major CNA Financial is said to have paid $40 million, while Colonial Pipeline and Brenntag have each shelled out nearly $4.5 million to regain access to their encrypted systems.