The same hackers that hit the Irish health system a week ago also targeted at least 16 U.S. medical and first responder networks in the past year, according to a federal law enforcement alert.
The cybercrime division of the FBI said cybercriminals using the malicious software dubbed "Conti" have targeted law enforcement, emergency medical services, dispatch centers and municipalities.
The alert didn't name specific victim organizations or offer details about the nature or severity of the breaches but said these healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S., according to the FBI alert made public Thursday by the American Hospital Association.
"Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors," the FBI alert said.
Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments or stolen Remote Desktop Protocol credentials, according to the FBI.
Recent ransom demands have been as high as $25 million.
BBC News has reported that the Conti ransomware group targeted the Irish health system May 14, and hospitals were forced to shut down many of their computers. The cybercriminals threatened to disclose patient data unless Irish authorities paid the $20 million ransom demand.
Ireland's Health Minister Stephen Donnelly reiterated Friday that the health system would not pay the ransom to restore its systems.
"No ransom has been paid by this government directly, indirectly, through any third party or any other way. Nor will any such ransom be paid," he told Irish broadcaster RTÉ.
In a surprising twist of events, late last week the hackers offered Ireland's health system a decryption key that they said could be used to unlock computers infected with ransomware. But there's a catch: Conti is still threatening to publish or sell data it has stolen unless a ransom is paid, BBC reported.
In its latest alert, the FBI said it does not encourage paying ransoms. "Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," the agency said.
The agency recommends (PDF) that organizations regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data reside, the FBI said.
Organizations also should implement network segmentation and a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location such as a hard drive, storage device or the cloud.
Scripps Health coming back online
The cyberattack on the Irish health system follows several high-profile ransomware attacks in the U.S., including the Colonial Pipeline breach and an attack on Scripps Health in San Diego.
The health system, which operates five hospitals in the region, was hit with a cyberattack May 1 that has significantly disrupted care, impacted email servers and forced medical personnel to use paper records for the past three weeks.
Scripps Health is slowly bringing some systems back online, according to media reports. ABC News reported last week that several Scripps Health employees said they had regained access to select systems, including "read-only" medical records from before May, payroll systems and some X-rays, computers and email.
In a tweet posted Thursday, Scripps Health said its website was back up, but technical teams were still working to restore the patient portal.
The health system said the cyberattack stemmed from malware on its computer network but would not confirm whether it was a ransomware attack nor whether there had been any ransom demand.