The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.

Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and the FBI assesses are tailored to the victim. Recent ransom demands have been as high as $25 million.

Cyber attacks targeting networks used by emergency services personnel can delay access to realtime digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed. Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges. Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.

According to the FBI, Conti actors use remote access tools, which most often beacon to domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors may use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers. Other indicators of Conti activity include the appearance of new accounts and tools—particularly Sysinternals—which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons, and disabled endpoint detection. 

Joseph Neumann, Cyber Executive Advisor at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, explains, "Ransomware groups, like the Conti actors, are going to keep popping up and continue to gain sophistication with every organization that pays.  Hitting first responders and hospitals are good targets due to the pressing need to get back into service after an attack.  Even if these organizations have a solid plan to get back to normal, it might be slower than paying the ransomware.  As seen from the Colonial pipeline incident, that is still affecting gas prices and demand, restoration of service is slow even when the ransom is paid.  Additionally, the huge reported payout is only going to give these attackers more equity to continue improving their infrastructure and attract new and better talent.  The decision to pay the ransom is an extremely difficult decision."

Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware, says the FBI. Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery. The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data2 . In some cases where additional resources are needed, the actors also use Trickbot3 . Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS.

If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers. The actors may also communicate with the victim using ProtonMail, and in some instances victims have negotiated a reduced ransom. 

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says, "While each of the active ransomware groups have their own particular collection of tools – after all, if you’re going to carry out 400+ attacks in a year, reusability of tools and techniques becomes the key to scaling out efficiently – it is remarkable how well-known and pedestrian many of the tools are. This FBI report mentions Mimikatz, a tool created in 2007. Elements of Cobalt Strike were also used in the SolarWinds supply chain hack. Stolen RDP credentials are leveraged by multiple ransomware groups. Encrypting data (to cause operational mayhem) and extorting ransoms (particularly via hard-to-trace cryptocurrencies) is the relatively recent phenomenon. While there can be concerted governmental efforts to temporarily disrupt certain ransomware groups (I say “disrupt” because it is relatively easy for the groups to reform under a different “brand”), businesses have to get much better are recognizing a spike of dangerous signals in their environments and stopping the attacks before exfiltration and encryption begins.

"Conti gang using Emotet, that answers in parts the question about who will be the successor in using the toolset compiled by the original Emotet makers. Next to that, the FBI flash alert is reiterating what was to be expected. Cyber criminals targeting systems and services where are disruption would be a big issues for the communities so the chance to actually get the ransom is higher than on average," notes Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "As various research projects into the cyber resilience of critical infrastructures have shown, it is likely that this campaign will find its victim, and even prominent and large ones. Being ready for this attack pattern can be achieved with device hardening, secure configurations and change control as one element, and with readiness within the workforce as the other one."

Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based Resolution Intelligence® provider, says, "This is the next big thing that everyone should worry about. Ransomware is already bad enough. Ransomware-as-a-Service (RaaS) is a service based affiliate program that provides all the tools and techniques to anyone who wants to start their own ransomware franchise for a percentage of the cut. This is cybercrime at scale, and the outcome is the Conti actors will continue to develop and improve their services to improve affiliate success rates."