The United States Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the U.S. Secret Service, and Federal Bureau of Investigation (FBI) has updated a September 2021 security advisory about the Conti ransomware-as-a-service operation.
The Conti ransomware gang is one of the most active ransomware cyber actors. Chainalysis said in a 2022 report that the Conti ransomware gang is known to have obtained at least $180 million in ransom payments in 2021 alone. According to the security alert, as of February 28, 2022, the Conti group has conducted at least 1,000 ransomware attacks on U.S. and international organizations, including healthcare providers and their business associates.
The Conti ransomware gang was behind the ransomware attack on the Irish Health Service Executive (HSE) in May 2021. In that attack, the gang provided the keys to the HSE to allow files to be decrypted at no cost, but the disruption caused by the attack lasted for 4 months and the remediation efforts cost in excess of €100 million. Earlier this month the Conti and Karma ransomware gangs attacked a Canadian healthcare provider simultaneously, and both successfully exfiltrated sensitive data. In the initial alert, the FBI said the Conti gang has attacked at least 16 healthcare organizations in the United States.
The re-issued update provides additional information for network defenders to help them better protect against attacks, including Indicators of Compromise (IoCs), domains known to be used by the gang, and details of the MITRE ATT&CK techniques used by the gang to gain access to victims’ networks. Those techniques include spear phishing emails, phishing emails containing malicious attachments and hyperlinks, Cobalt Strike, the TrickBot Trojan, BazarBackdoor, and ZLoader malware distribution networks. The group is also known to use stolen credentials, exploits weak RDP credentials, phone calls, fake software installers, and exploits common vulnerabilities in software and operating systems.
The Conti gang recently voiced support for Russia in the conflict with Ukraine and threatened retaliation for attacks on Russia. While the Conti ransomware gang is believed to operate out of Russia, its affiliates are based in several countries in Eastern Europe including Ukraine. A Ukrainian hacker, in response to the show of support for Russia, leaked the source code of Conti ransomware and the gang’s administrative panels, along with over two years of internal chat logs between members of the gang. Those chat logs have revealed details of how the group operates.
The chat logs confirm that while Conti is a RaaS operation, rather than paying affiliates a cut of the ransoms that they generate they are paid a wage for conducting attacks. The logs show the Conti gang runs its operation very much like a legitimate business, complete with bonuses to staff, an employee of the month program, and conducts employee performance reviews.
Conti ransomware attacks are showing no sign of slowing. Healthcare organizations should read the updated alert and implement the recommended mitigations to improve their defenses against attacks.