Chris Swagler | April 22nd, 2022

During the height of the COVID-19 pandemic, one of the most ruthless and successful Russian ransomware groups, Conti, publicly announced that it would refrain from targeting healthcare providers. However, recent information confirms that unsurprisingly the ransomware group lied as they launched more than 200 attacks against hospitals and other healthcare facilities since first appearing in 2018 as “Ryuk”. This knowledge was confirmed, in part, due to a threat hunting campaign.

Microsoft executed a legal sneak attack against a remote access trojan and malware platform, Zloader, that numerous ransomware groups used to deploy their malware in victims’ networks. Microsoft acquired a court order allowing it to seize 65 domain names that were used to maintain the Zloader botnet. The civil lawsuit against Zloader named seven “John Does,” and sought information to identify cybercriminals who used Zloader to launch ransomware attacks. Some of the John Does were associated with lesser ransomware collectives, including Egregor and Netfilim.

According to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti [hereafter ‘Conti’] acting as the distribution platform for deploying Conti ransomware. Microsoft was backed by numerous parties in the legal effort against Zloader by filing supporting declarations, including a former U.S. National Security Agency (NSA) penetration tester. The former tester is now chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group sharing information about cyberattacks against healthcare providers. The Conti ransomware attacks have impacted healthcare facilities in 192 cities across 41 states and the District of Columbia.

According to a declaration with the U.S. District Court for the Northern District of Georgia, the attacks resulted in temporary or permanent loss of IT systems supporting the provider delivery functions in modern hospitals, resulting in canceled surgeries and delayed medical care. Hospitals reported nearly $100 million in lost revenue due to Conti infections, per data acquired from interviews with hospital staff, public statements, and media articles. Additionally, to effectively respond to the Conti attacks cost some $500 million, including ransomware payments, digital forensic services, security improvements, and upgrading impacted systems. In May 2021, Ireland’s Health Service Executive, which operates the country’s public health system, was impacted by the Conti ransomware causing massive disruptions to healthcare and costing $600 million to recover. Throughout 2020, Conti ravaged the healthcare sector and, according to leaked internal chats from the Conti ransomware group, they accessed more than 400 healthcare facilities in the United States.

FBI and DHS officials had reliable intelligence that the group planned to simultaneously ransom the care facilities. Another report discovered that Conti orchestrated a cyberattack against a Canadian healthcare provider and at least 68 healthcare providers suffered ransomware attacks. Even though Conti is one of numerous ransomware groups targeting the healthcare industry, ransomware attacks on the healthcare sector are underreported because a large percentage of victims paying ransoms want to keep their data and news of their breach confidential. A survey showed that almost 60% percent of victims hit by ransomware paid their extortionists.

Another reason for the high ransom payment percentage is that crime groups shifted their focus away from deploying ransomware and towards stealing data and demanding payment not to publicly release the information. Conti posts victims’ internal data on their dark web blog to shame those who refuse to pay a ransom and have claimed responsibility for breaching a variety of critical healthcare sectors, including testing labs, pharmaceutical companies, and a spinal surgery center. According to a 2021 Healthcare Information and Management Systems Society (HIMSS) survey, 67% of healthcare cybersecurity professionals experienced a significant security incident, and only 43% fully implemented intrusion and prevention technologies.

The FBI explained that Conti accesses victims’ networks using weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Additionally, Conti used embedded PowerShell scripts to weaponize Microsoft Office documents to initially stage Cobalt Strike using the Office documents and drop Emotet onto the networks allowing them to deploy ransomware. On average, Conti spends between four days and three weeks observing victims’ networks before deploying ransomware.

With more ransomware groups targeting the healthcare industry even after the pandemic, it’s critical for companies, including hospitals and healthcare facilities to stay ahead of the current threat landscape and always backup their data network. At SpearTip, our certified engineers work continuously at our 24/7/365 Security Operations Center to leverage effective and purpose-built solutions to defend healthcare providers against cyberattacks and protect patient-sensitive data, allowing them to provide care and improve patient outcomes. Threat actors can’t be trusted, especially Conti, because they will target the same companies twice for more ransom. ShadowSpear is an unparalleled and purpose-built platform that helps strengthen and improve healthcare technology and infrastructure, allowing providers to pursue innovation and protect against operational disruptions and ransomware attacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.