Conti Ransomware Attacked 16 Healthcare Organizations, FBI Says

Privacy Cyber Security AH Nov AH 2019

According to the Federal Bureau of Investigation (FBI), Conti ransomware has recently targeted at least 16 healthcare organizations in the United States, including first responder organizations. The FBI has also released a TLP: WHITE to help organizations on defending themselves against future threats.

“The FBI identified at least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year,” the FBI Cyber Division noted in its announcement. “These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.”

The Conti is a Ransomware-as-a-Service (RaaS) that Wizard Spider backs. Wizard Spider believes to be a Russian-based cybercrime group that launches similar attacks on organizations around the world.


The Conti ransomware can gain access to victim networks through malicious email links, attachments, or stolen RDP credentials.

Victims must pay the amount requested by the attackers within eight days. If victims don’t pay within this period, the attackers will contact the victims via Voice Over Internet Protocol (VOIP) or encrypted emails. The way Conti ransomware works is simple and similar to its other counterparts like Doppelpaymer.

Conti ransomware is targeting healthcare organization in the United States and worldwide

The United States healthcare organization are not the only victims of Conti ransomware. Ireland’s Health Service Executive (HSE) and Department of Health (DoH) faced a similar case that Conti attackers asked for a $20 million ransom.


Of course, the DoH was able to repel the attacks, but the HSE had to shut down its IT systems.

For technical guys, here are the Conti ransomware indicators according to the FBI’s announcement: “Conti actors use remote access tools, which most often beacon to domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors may use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers. Other indicators of Conti activity include the appearance of new accounts and tools—particularly Sysinternals—which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons, and disabled endpoint detection.”

If you are an IT admin or security expert at a healthcare organization, note these indicators so you can protect your data from this ransomware. The FBI has asked all organizations attacked by Conti ransomware to share their information.