The Cyber Division of the FBI released a FLASH alert this month due to the ransomware group Conti targeting U.S. healthcare networks. Conti has been known to demand upwards to $25 million to release the victim’s information. If the ransom is not paid, Conti will publish or sell the data on a site controlled by Conti. Ransomware attacks can be particularly damaging for health care organizations if data is held that is required for delivering care to patients.
We’re all too familiar with phishing emails and Conti is hoping we let our guard down. They use links and attachments to gain access to networks through phishing emails. The FLASH alert goes on to say “Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware. Actors are observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamic-link libraries (DLLs) for delivery.” So now is not the time to lighten up on phishing trainings for users!
The FBI lists some recommended mitigations to help prevent a successful attack:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
BlueOrange also offers Penetration Testing to see just how far a group like Conti could get in your environment! Here is a LINK for more information on the types of Pen Testing we offer.
