The FBI is asking for your help after a string of Conti ransomware attacks targeted U.S. healthcare and first responder networks.
The affected organizations include law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.
Conti has attacked more than 400 organizations worldwide, with more than 290 of them located in the U.S.
FBI wants information on Conti ransomware
It is obvious that cyberattacks on emergency services can have very serious, real-world consequences, as we have seen recently with the Colonial Pipeline incident.
Which is why the FBI is asking for organizations to share any information they have that relates to Conti ransomware.
Here is the specific information the FBI is asking for:
"The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.
The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to promptly report ransomware incidents to your local field office or the FBI's 24/7 Cyber Watch (CyWatch). Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law."
Details of Conti ransomware attacks
In addition to this call for help, the FBI has also provided technical details of how the Conti ransomware operates:
"Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware.
Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery. The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data.
In some cases where additional resources are needed, the actors also use Trickbot. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS."
If you have any information relating to Conti ransomware, you can reach out to an FBI Field office or contact CyWatch at (855) 292-3937 or by email at CyWatch@ic.fbi.gov.
For more information and recommended mitigations, you can read the FBI report on Conti ransomware.
