Skip to main content

Conti Ransomware Behind Hacks at Least 16 U.S. Health Orgs

by Chris Brook on Monday May 24, 2021

Contact Us
Free Demo

The attacks are just a fraction of the 400 victim organizations worldwide, according to the FBI.

If you haven't been paying attention, the ransomware-as-a-service model has been working wonders for attackers who use the tools to execute ransomware attacks.

While DarkSide, which allegedly raked in roughly $90 million in Bitcoin over the last nine months got all the headlines of late, they're far from the only group making life a nightmare for administrators.

Conti, the ransomware group behind a recent compromise of Ireland's Health Service Executive or HSE, is actively targeting and exploiting other facilities in the healthcare industry, including first responder networks.

The attacks are apparently serious enough to merit a warning from the FBI; a flash alert issued late last week and shared by the American Hospital Association said the group hit 16 organizations, including 911 dispatchers, emergency medical services, law enforcement, and municipalities, over the past year as part of a campaign.

The fact that the FBI is only highlighting 16 attacks is surprising when there’s been many more. The agency goes on to say that the 16 attacks are just some of the more than 400 organizations that have been hit by Conti to date; more than 290 of the 400 are located in the U.S.

It shouldn’t come as a surprise but attacks against critical services like 911 dispatch systems can have a life-altering impact by affecting patient healthcare and treatment, not to mention hinder prosecution, access to sensitive data and compromise Protected Health Information.

Conti has been around for about a year but it wasn't until last summer that experts suggested the ransomware could be poised to become the successor to Ryuk, the ransomware that knocked Universal Health Services offline last fall, costing the healthcare organization $67 million in the process.

While many have noted Conti shares code with Ryuk, they do have their differences, like how each encrypts files.

Like many groups these days, Conti has taken to selling or publishing the data it steals if victims don't pay the ransom. Like groups Maze and Doppelpaymer, Conti is one of the groups that made headlines several months ago by reportedly cold calling victims who don't pay in hopes of putting further pressure on them.

Healthcare administrators are encouraged to review activity on ports used by Conti actors, including ports 80, 443, 8080, and 8443, along with port 53 for persistence.

"Other indicators of Conti activity include the appearance of new accounts and tools - particularly Sysinternals - which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons, and disabled endpoint detection," the FBI wrote.

The HSE attack, which started 10 days ago, knocked all of the health service's IT systems offline and is believed to be the largest cyberattack against an Irish state agency. While the Conti group gave a decryptor tool to HSE, they still warned they'd publish "a lot of private data" if the organization didn't try to contact them to remediate the situation.

Ryuk was the scourge of healthcare and public health services last fall but judging from the FBI’s note it sounds like the gang behind Conti has been just as prolific.

Tags:  Ransomware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.