As the Republic of Ireland continues to grapple with a Conti ransomware attack on its Health Service Executive’s (HSE’s) IT systems, the FBI has issued a warning to similar systems in the US.
“The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.
"These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.," the FBI said in an alert issued on May 20.
The Conti ransomware being highlighted by the FBI is the same that forced Ireland's HSE to shut down all of its IT systems on May 14 as a precaution in
order to assess and limit the impact.
HSE Chief Executive Paul Reid confirmed with NewstalkFM on May 14 that the attack is a "Conti human-operated ransomware attack that seeks to get access to data immediately.”
Paul Reid says the major ransomware attack targeting the HSE is "quite sophisticated", while the COVID-19 vaccination programme isn't impacted as it's on a different system.@NTBreakfast pic.twitter.com/XXtzlzBQAV— NewstalkFM (@NewstalkFM) May 14, 2021
Ossian Smyth, Ireland's Minister of State for Public Procurement and eGovernment, told RTÉ News that same day: "It is very significant, and possibly the most significant cybercrime attack on the Irish State."
Smyth described the hackers as "cybercriminals gangs, looking for money."
The Minister of State for Public Procurement and eGovernment Ossian Smyth has said that the cyber attack on HSE computer systems is "possibly the most significant cybercrime attack on the Irish State." pic.twitter.com/Ec9I0rWB2G— RTÉ News (@rtenews) May 14, 2021
On Monday, Taoiseach Micheál Martin said on RTÉ's Today with Claire Byrne that Ireland refuses to pay any ransom to the hackers.
Noting that there had been "no great evidence yet of any mass dumping of data," the Taoiseach said that “if anybody comes across any data, if you see it, don’t share it… report it to the Gardai."
He further said that the decryption key that had been provided was slowly but surely helping the IT systems return.
Hospital systems are coming back following a cyber attack on the HSE and a decryption key provided last week is helping, Taoiseach Micheál Martin has said | Read more: https://t.co/9cZSC08loy pic.twitter.com/mgTraNjm8p— RTÉ News (@rtenews) May 24, 2021
Ireland's National Cyber Security Centre, the HSE, and specialist contractors are continuing to implement a detailed and dedicated operational programme to repair and restore the HSE’s IT systems and network, and are making "very steady progress in what is a difficult and complex task."
In its warning issued on May 20, the FBI said: “Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim.
“The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.
“Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed. Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges.
"Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of Protected Health Information.”
The FBI alert went on to say: “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”
Anyone who encounters the outlined indicators of a Conti ransomware attack is encouraged to contact the FBI's CyWatch immediately at firstname.lastname@example.org or 1-855-292-3937.