FBI warns of Conti ransomware attacks targeting U.S. healthcare networks

Posted on: Monday, May 24, 2021 By: KorchekStaff

The agency said it had identified at least 16 incidents over the last year aimed at healthcare and first responder systems.

The Federal Bureau of Investigation released a bulletin this past week that warned of Conti ransomware attacks targeting U.S. healthcare and first responder networks.  

Over the past year, the FBI has identified at least 16 of these kinds of incidents, the report said.  

"Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim," explained the notice.

"The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors," it added.  


The healthcare networks victimized by Conti included law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities.   

More than 400 organizations have been targeted worldwide, said the FBI, including upwards of 290 in the United States.  

The agency outlined the typical Conti attack, explaining that bad actors gain access to networks through weaponized malicious email links, attachments or stolen remote desktop protocol credentials.  

"Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware," read the alert.

The FBI also said that if the victim does not respond to the ransom demands within two to eight days of the deployment, hackers often call them using single-use Voice Over Internet Protocol numbers. The actors may also communicate via ProtonMail.  

Although ransom amounts vary widely, demands have been as high as $25 million. The FBI does not encourage paying ransoms, but does acknowledge that victims may decide to do so.  

"Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local field office or the FBI’s 24/7 Cyber Watch," said the agency.  

"Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law," it added.  

The FBI recommended a number of mitigations, including regular backups, network segmentation, multi factor authentication, strong passwords and cyber security training.  


After a relatively quiet start to the year, the number of ransomware attacks against healthcare organizations is ramping up.  

Conti was the ransomware group responsible for the "significant" attack against Ireland's health system this month, which is still affecting services. (Somewhat unexpectedly, the group has offered over the decryption tool necessary for the network to recover, although it is still threatening to publish patient data.)  

And although Scripps Health has not offered details about the nature of the incident that took its systems offline for weeks, independent sources have told local outlets that ransomware was involved.  


"Cyber attacks targeting networks used by emergency services personnel can delay access to real time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed," read the FBI alert.  

"Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information," it continued.