A recent TLP:WHITE flash alert from the FBI reveals that Conti ransomware group has attacked U.S. healthcare and first responder organizations at least 16 times. The FBI shared this information to help system administrators and cyber security professionals safeguard their network against similar attacks.
Listen to the audio version of this article:
Get more Reintivity Audio Articles.
At least 16 Conti ransomware attacks.
“The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year,” per the Federal Bureau of Investigations Cyber Security Division flash alter on May 20 2021.
According to the FBI, more than 400 organizations have been attacked by Conti worldwide, with at least 290 of those organizations being in the United States. Organizations find themselves victim to these attacks after Conti gains access to their network through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials
Though ransom amounts have varied the FBI assess demands have been as high as $25 million. Targeted organizations that do not respond to the ransom request in 2 to 8 days are then contacted using single-use Voice Over Internet Protocol (VOIP) numbers, which are difficult to track, to negotiate with the Conti actors.
The FBI does not encourage paying ransoms as it does not guarantee that the ransom data or network will be recovered. They do however encourage taking the necessary steps to mitigate and minimize ransom attacks.
To protect your organization against ransomware, the FBI offers the following recommendations:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multi-factor authentication where possible. Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).