Publication Date: 2021 May 20
Update Date: 2021 May 24
Philips is currently monitoring developments and updates related to the Federal Bureau of Investigation (FBI) (CP-000147-MW). The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.
Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti actors use remote access tools, which most often beacon to domestic and international virtual private server (VPS) infrastructure over ports 80, 443, 8080, and 8443. Additionally, actors may use port 53 for persistence. Large HTTPS transfers go to cloud-based data storage providers MegaNZ and pCloud servers. Other indicators of Conti activity include the appearance of new accounts and tools—particularly Sysinternals—which were not installed by the organization, as well as disabled endpoint detection and constant HTTP and domain name system (DNS) beacons, and disabled endpoint detection.
Philips is committed to ensuring the safety, security, integrity, and regulatory compliance of our products to be deployed and to operate within Philips approved product specifications. Therefore, in accordance with Philips policy and regulatory requirements, all changes of configuration or software to Philips’ products (including operating system security updates and patches) may be implemented only in accordance with Philips product-specific, verified & validated, authorized, and communicated customer procedures or field actions.
If a product does require operating system security updates, configuration changes, or other actions to be taken by our customer or by Philips Customer Services, product-specific service documentation is produced by Philips product teams and made available to Philips service delivery platforms such as the Philips InCenter Customer Portal. Once posted by Philips product teams, all of these materials are accessible to contract-entitled customers, licensed representatives, and Philips Customer Service teams.
Contract-entitled customers may use Philips InCenter and are encouraged to request Philips InCenter access and reference product-specific information posted. If customers still have questions, all customers (contract-entitled or otherwise) are encouraged to contact their local service support team or regional product service support as appropriate for up to date information specific to their Philips’ products.
Begin Update A: 24 May 2021
At this time, no Philips products or solutions are impacted. If we become aware of an affected product or solution, we will post that information here.
For customers who utilize the Remote Services Network (RSN, PRS), all Philips RSN systems are protected against this vulnerability and customers are advised not to disconnect the PRS as it may impact Philips service teams from providing any required immediate and proactive support such as remote patching.
End Update A