How Ireland’s Medical Facilities Were Taken Down
Dateline: Safety Harbor, FL, 6-16-21] — Alaris Threat Management Consultants is a leading provider of cyber defense for small- to medium-sized healthcare and medical practices. This article is an introduction to the current threat posed by ransomware.]
The FBI Cyber Division issued a flash alert message the month of May 2021 warning of the Conti malware actors.
The FBI identified at least 16 Conti ransomware attacks targeting US healthcare industry and first responder networks, including law en- forcement agencies, medical practices, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.
These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals and exfiltrates victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim.
The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.
Attacks linked to Conti and the DarkSide ransomware variant, most recently linked to the attack on Colonial Pipeline, are believed to originate from “criminal networks operating from a noncooperative foreign jurisdiction,” according to the advisory published by the American Hospital Association (AHA).
Conti specifically has been linked to “Wizard Spider”, a cybercrime group based in and around Saint Petersburg in Russia.
On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack that caused all of its IT systems nationwide to be shut down and replaced with a paper-based contingency system. The hackers demanded $20M to free the system.
While life-saving equipment and COVID-19 vaccine programs were still operating, several healthcare practices across Ireland were forced to cancel low priority appointments.
The chief executive of the HSE said on Sunday there is a “high risk” the criminals behind the cyberattack attack will fulfil their threat to release patient details. The Irish Government said it is “aware of the risk” that personal data stolen from the HSE may be published online.
The ransomware group responsible has relented and offered a decryption tool free of charge to the HSE. The Irish government says it is testing the tool and insists it did not, and would not, be paying ransom.
The Technical Nitty Gritty of Conti
Foot in the door: Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials usually obtained through spear phishing.
Once inside, Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware.
Cobalt Strike is actually an off the shelf commercial product intended for use by penetra- tion testing professionals.
The tool has been criticized due to its use by cybercriminals, with the tool used to deploy ransomware, surveil target computers and networks, and to download confidential data from target systems. Cybersecurity firm Recorded Future identified the tool as being used to control 13.5% of malicious command and control servers deployed in 2020. Ironically, the company that produces Cobalt Strike is named “HelpSystems”.
Actors have been observed inside the victim network between four days and three weeks on average before deploying Conti ransomware, primarily using dynamiclink libraries (DLLs) for delivery.
The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data. In some cases where additional resources are needed, the actors also use Trickbot3.
Once Conti actors deploy the ransomware, they may stay in the network and hide communications back to command and control servers using Anchor DNS.
Make Yourself a Harder Target
“All breaches are the result of somebody [inside] doing something they shouldn’t do, or somebody [inside] not doing something they should do.”
– Frank Abagnale Jr
Here are recommendations to harden your security posture and make yourself less vulnerable:
- Regularly back up data, air gap, and password protect backup copies offline.
- Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storagedece, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released. Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs. Require administrator credentials to install software.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and antimalware software on all hosts.
- Only use secure networks and avoid using public WiFi networks. Consider installing and using a VPN.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
Information on the Author:
Dave has more than 30 years of experience and holds 10 patents to his name. David Grootwassink (BSCS, MBA, PMP) has over 30 years of experience in communications technologies, security, and identity management. He started spending 6 years out as an Air Force officer involved in signals intelligence and electronic warfare; functionally red team for keeps on a global basis. Among the many awards received during his service, the most important was being decorated as the “Outstanding Contributor to Tactical Air Intelligence” during operations Desert Shield/Desert Storm.
After leaving the service, David led several identity management projects utilizing various forms of biometric identification.
Shifting into the communications industry he has developed many products for communications companies such as GTE, BellSouth International, and Illuminet. Finally melding communications and security together in both a blue team and red team stance for VeriSign and Yaana Technologies where the focus became communications security, interception, and intelligence support.
David currently holds 10 patents in the areas of communications and communications security.