Cyber gang behind Irish health system attack also hit more than a dozen US healthcare organisations
Conti group has attacked more than 400 entities worldwide including law enforcement agencies, municipalities, emergency medical services and 911 dispatch centres
The Federal Bureau of Investigation (FBI) said on Thursday that the Conti ransomware operatives who recently took down Irish health system have also hit the networks of at least 16 US healthcare and first response organisations in the past 12 months.
The agency shared the information via a flash alert [pdf] to help security professionals and network admins secure their organisation's network against future Conti attacks.
According to the FBI, the Conti group has attacked more than 400 entities worldwide, of which 290 are located in the US. The organisations compromised by the gang include law enforcement agencies, municipalities, emergency medical services, 9-1-1 dispatch centres and other entities.
"Like most ransomware variants, Conti typically steals victims' files and encrypts the servers and workstations in an effort to force a ransom payment from the victim," the FBI cyber division said.
The ransoms demanded by the gang are usually "custom-tailored to each victim, with recent ones being as high as $25 million."
"Conti actors gain unauthorised access to victim networks through weaponised malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti weaponises Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware," FBI said.
After gaining initial entry into the network, the attackers wait for about four to 21 days on average before deploying Conti ransomware on targeted systems.
They use a variety of tools, such as Mimikatz and Trickbot, to escalate privileges and to move laterally through the network.
The Conti ransomware group is a believed to be a part of a sophisticated Russia-based cybercrime gang known as Wizard Spider, which has been increasingly active in the past one year, the FBI said.
The group also shares some of its code with the Ryuk ransomware.
Conti operatives last week targeted the Irish Health Service (HSE) network in a major ransomware attack.
Irish Prime Minister Micheál Martin said the government "will not be paying any ransom" to hackers or "engaging in any of that sort of stuff."
After the HSE refused to pay the ransom, the group started leaking patients' medical and personal details online.
The Conti operatives are reportedly asking a $20 million (£15 million) ransom from HSE, with the promise that they would delete the stolen data from their systems on payment. The gang claimed in its ransom note that it had encrypted SQL servers and file servers and exfiltrated more than 700 GB of confidential data, including phone numbers and the addresses of doctors, nurses and patients.
According to Bloomberg, the hackers have now provided HSE a decryption key that they said could be used to unlock systems infected with ransomware. However, the group threatened to publish patient data online unless they are paid demanded ransom.
HSE chief Paul Reid said last week that the cyber incident was having a major impact on all local and national systems involved in core services.
The HSE stated on its website that "hospitals and community services nationwide are seeing varied impacts, but all teams are responding with contingency arrangements, including redeploying staff, rescheduling some procedures and appointments, and adjusting processes as needed."
The Irish government's National Cyber Security Centre (NCSC) said that the attackers also attempted to compromise the network of the Irish Department of Health, although the malicious activity on the network was thwarted by the NCSC's cyber experts before the ransomware was triggered.