CISA and FBI Warn About Escalating Conti Ransomware Attacks

Share this article on:

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about escalating Conti ransomware attacks. CISA and the FBI have observed Conti ransomware being used in more than 400 cyberattacks in the United States and globally.

Like many ransomware gangs, prior to deploying Conti ransomware the gang exfiltrates data from victims’ networks. A ransom demand is issued along with a threat to publish the stolen data if the ransom is not paid. The developers of Conti ransomware run a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks. Under this model, affiliates usually receive a percentage of any ransoms they generate. Conti appears to operate slightly differently, where affiliates are paid a wage to conduct attacks.

A variety of methods are used to gain access to victims’ networks. Spear phishing emails are common, where malicious attachments such as Word documents with embedded scripts are used as malware droppers. Typically, a malware variant such as TrickBot or IcedID is downloaded which gives the attackers access to victims’ networks. The attackers then move laterally within the compromised network, identify data of interest, then exfiltrate the data before deploying the Conti ransomware payload.

Brute force attacks are often conducted to guess weak Remote Desktop Protocol (RDP) credentials, vulnerabilities in unpatched systems are exploited, and search engine poisoning has been used to get malicious sites appearing in the search engine listings offering fake software. Malware distribution networks such as Zloader have been used, and attacks have been conducted where credentials have been obtained through telephone calls (vishing).

CISA and the FBI have observed legitimate penetration testing tools being used to identify routers, cameras, and network-attached storage devices with web interfaces that can be brute forced and legitimate remote monitoring and management software and remote desktop software have been used as backdoors to maintain persistence on victim networks. The attackers use tools such as Windows Sysinternals and Mimikatz to escalate privileges and for lateral movement.

Vulnerabilities known to be exploited include ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and the vulnerabilities in Microsoft Windows Server Message Block that were exploited in the WannaCry ransomware attacks in 2017.

Because a variety of tactics, techniques, and procedures are used to gain access to victim networks, there is no single mitigation that can be implemented to prevent attacks. CISA and the FBI recommend the following mitigations to improve defenses against Conti ransomware attacks:

  • Use multi-factor authentication
  • Implement network segmentation and filter traffic
  • Scan for vulnerabilities and keep software updated
  • Remove unnecessary applications and apply controls
  • Implement endpoint and detection response tools
  • Limit access to resources over the network, especially by restricting RDP
  • Secure user accounts
  • Ensure critical data are backed up, with backups stored offline and tested to ensure file recovery is possible

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On