I recently participated in a 16 hour table-top exercise training by FEMA at the Tony Canale New Jersey Regional Operations & Intelligence Center (NJ ROIC). The ROIC serves as New Jersey’s primary focal point for information sharing and intelligence production needed to support law enforcement, counter terrorism, and homeland security missions.

These exercises have been critical as Ransomware attacks continue to worsen over the years, potentially creating national and local disasters where entire cities are brought to a standstill with major outages.

Recent targets are focused on:

• State and local governments
• Hospitals
• Police departments
• First Responders
• Critical infrastructure 

Conti is one of many ransomware strains that have capitulated on that trend, commencing its operations in July 2020 as a private Ransomware-as-a-Service (RaaS), in addition to jumping on the double extortion bandwagon by launching a data leak site.

Summary

The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.

• Cyber attacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed.
• Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges.
• Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.

Technical Details

Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware. Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery. The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data2. In some cases where additional resources are needed, the actors also use Trickbot3. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS.

If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers. The actors may also communicate with the victim using ProtonMail, and in some instances victims have negotiated a reduced ransom. View the entire report here.

Additional Information

Based on an analysis published by ransomware recovery firm Coveware last month, Conti was the second most prevalent strain deployed, accounting for 10.2% of all the ransomware attacks in the first quarter of 2021.

Infections involving Conti have also breached the networks of Ireland’s Health Service Executive (HSE) and Department of Health (DoH), prompting the National Cyber Security Centre (NCSC) to issue an alert of its own on May 16, stating that “there are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans.”

Conti operators are known for infiltrating enterprise networks and spreading laterally using Cobalt Strike beacons prior to exploiting compromised user credentials to deploy and execute the ransomware payloads, with the encrypted files renamed with a “.FEEDC” extension. Weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials are some of the tactics the group used to gain an initial foothold on the target network, the FBI said.

“The actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware,” the agency noted, adding the ransom amounts are tailored to each victim, with recent demands ratcheting up to as high as $25 million.

The alert also comes amid a proliferation of ransomware incidents in recent weeks, even as extortionists continue to seek exorbitant prices from companies in hopes of landing a huge, quick payday. Insurance major CNA Financial is said to have paid $40 million, while Colonial Pipeline and Brenntag have each shelled out nearly $4.5 million to regain access to their encrypted systems.