FBI: Conti ransomware gang attacked more than 400 orgs, including 911 centers

The Conti ransomware gang has victimized more than 400 organizations worldwide, 290 of which were based in the United States, the Federal Bureau of Investigation said in a security alert it sent on Thursday.

The victim number, close to open-source reporting done by DarkTracer, also included some sensitive targets according to a copy of the alert obtained by The Record.

The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.

FBI flash alert CP-000147-MW

The nature of the FBI's advisory and the timing of the alert are not coincidental and come after the Conti gang breached and crippled hospitals in Ireland and New Zealand, some of which had to cancel certain types of medical procedures and patient care.

Detect tools and techniques, not static IOCs

The FBI alert details the general modus operandi of the Conti gang, and FBI officials hope that US organizations would use the information they provided to bolster networks and be better prepared to deal with the gang's attacks.

But the FBI alert only contains a general description of Conti tactics and some basic recommendations.

Security teams looking for a more in-depth technical analysis can refer to an extensive report detailing a typical Conti intrusion, authored and published earlier this month by a group of security researchers named the DFIR Report.

The FBI Conti alert also comes days after Ireland's National Cyber Security Centre published a similar report [PDF]. This one is more narrow and includes only the indicators of compromise (IOCs) from the Conti attack on the Irish Health Service Executive (HSE).

However, the NCSC report also revealed that the Conti gang had also tried to breach Ireland's Department of Health, the government agency behind the HSE, but the attack failed after the group's tools were detected and the attack stopped—showing, again, the benefits of using detection rules that spot tools and techniques used by threat actors rather than static IOCs.

For cyber-security researchers looking to get a better understanding of the Conti gang's tactics and tooling, the reports shared this month, along with the historical Conti reports aggregated on this page, can serve as a good starting point.