The Federal Bureau of Investigation (FBI), on May 20, released a “Flash” alert stating that the notorious Conti ransomware gang, which reportedly targeted the Irish health system last week, has hit at least 16 healthcare and emergency first responder networks in the U.S. Its victims’ list includes law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities of various districts.
Conti Continues its Merry in the U.S.
According to the FBI, the Conti ransomware gang has victimized more than 400 organizations worldwide, of which 290 are in the U.S. alone. Their average recorded dwell time in the victim’s network ranges between four days to three weeks. Moreover, when it comes to the ransom demands, there is no fixed number quoted by its operators. It widely varies depending on the targeted organization’s size. However, the highest recorded bid of the Conti ransomware gang stands at $25 million.
The TTPs of Conti Ransomware
According to the FBI’s Cyber Watch (CyWatch) researchers, Conti’s operators infiltrate victim networks through phishing emails (malicious links or attachments) or stolen/cracked remote desktop protocol (RDP) credentials.
“Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then drops Emotet onto the network, giving the actor access to deploy ransomware.”
The deployment phase of Conti is generally a three-stage process:
- In the first stage, Conti operators use tools that are readily available on the network to penetrate further inside.
- In the second stage, they add tools such as Windows Sysinternals1 and Mimikatz as per requirement, to escalate privileges and move laterally through the network. In some cases, where additional resources are needed, the actors use an additional step where they deploy the Trickbot malware.
- In the final stage, the Conti operators deploy the ransomware, exfiltrate critical data useful for negotiations, and finally encrypt data on victims’ computers. Post-deployment, the operators may stay in the network and beacon out using Anchor DNS.
Conti ransomware gang leaves a ransom note on the victim’s computer with its contact details, which is generally a ProtonMail email ID. However, if there is no initiative taken by the victim, then after a week from the ransomware deployment, they call their victim using single-use Voice Over Internet Protocol (VOIP) numbers.
This gang specifically uses remote access tools, which are connected through domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080, and 8443. In case of persistence in the victim’s network, they may use port 53. The CyWatch researchers suggest IT and cybersecurity teams of organizations to lookout for “large HTTPS transfers going to cloud-based data storage providers like MegaNZ and pCloud servers.” Conti is known to use these services as command and control (C2) servers.
Other indicators of Conti’s activity include the creation of new accounts and tools which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons.
Conti Becomes a Good Samaritan in Ireland
As reported by the FBI, the Conti ransomware gang has targeted all industries over the world and late last week, the Irish Health Service Executive (HSE) faced its heat as well. However, Micheál Martin, the Prime Minister of Ireland, announced and made it clear that they “will not pay any ransom” to these cybercriminals.
The attack, which took place due to “an unknown vulnerability in the IT systems,” impacted the IT systems of all local and national health care facilities in Ireland. The effect of the attack was also felt on COVID-19 response as many diagnostic and testing centers were suspended briefly. Many experts deemed the attack as “morally inappropriate” as the health care sector is already stretched owing to the current pandemic and an attack like this could crumble the entire sector in one go.
This might have led to a change of heart for Conti operators because the cybercriminals have reportedly handed over the decryption tool to their victims for free. On the darknet website controlled by Conti, it left a message for the Irish HSE stating, “We are providing the decryption tool for your network for free.” On receiving this news, the Irish Prime Minister was elated but said, “Enormous work is still required to rebuild the system overall.”
Conti’s handover of the decryption key cannot be considered a complete success and its disruption cannot be overlooked because the operators are still threatening to publish or sell the critical data which they exfiltrated during the attack. The ransom amount demanded stands at $20 million (or £14 million), which the Irish government is refusing to pay. Meanwhile, Health Minister Stephen Donnelly told Irish broadcaster RTÉ: “Our technical team is currently testing the tool and the initial responses are positive.”