14 DAY TRIAL // The FBI has related the Conti ransomware community to at least 16 cyberattacks in the United States aimed at disrupting healthcare and first responder networks.
911 dispatchers, law enforcement officers, and emergency care services have all been targeted in the last year as medical services struggled to handle the COVID-19 pandemic.
According to the FBI's flash advisory (.PDF), Conti has been linked to at least 400 cyberattacks against organizations worldwide, with at least 290 originating in the United States.
In order to increase the likelihood of a payout, ransomware operators can penetrate a victim's network, steal sensitive files, and then launch the ransomware. If ransom requests are not fulfilled, companies risk having their data released or sold through a leaking platform.
Conti can gain initial network access through the use of stolen credentials, RDP, or phishing campaigns.
The advisory notes "If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers".
"The actors may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom".
FBI discourages victims to pay up and therefore promote ransomware criminal activity
The FBI discourages victim from paying up because decryption keys are not guaranteed to function, and each successful extortion attempt only promotes ransomware-related criminal activity.
Moreover, FBI encourages law enforcement authorities to be transparent when ransomware incidents occur. In the case of Conti, the FBI asked for boundary logs with links to IP addresses, cryptocurrency wallet records, any decryptor files available, and encrypted file samples.
Conti has recently been blamed for a crippling ransomware attack on Ireland's Health Service Executive (HSE) on May 14. Officials claim a $20 million ransomware demand will not be paid. Although Conti has released an unverified decryption tool to the service, the group has threatened to sell or leak HSE records that were allegedly stolen during the cyberattack.