The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory regarding increasing Conti ransomware attacks. CISA and the FBI have seen that Conti ransomware is being utilized in over 400 cyberattacks in America and around the world.
Just like a lot of ransomware groups, the group exfiltrates information from the network of the victims before deploying the Conti ransomware. Ransom demand is sent together with a threat to post the stolen information in case the victim does not pay the ransom. The creators of Conti ransomware manage a ransomware-as-a-service operation, and recruits affiliates to carry out attacks. With this model, affiliates typically get a portion of the ransoms they help make. Conti seems to work somewhat in a different way. Affiliates get paid a salary to carry out attacks.
Various strategies are utilized to obtain access to victims’ systems. A common strategy is to use spear-phishing emails with malicious attachments like Word documents having embedded scripts as malware droppers. Generally, a malware variant like IcedID or TrickBot is downloaded. This allows the attackers to access the victims’ systems. And then, the attackers move laterally inside the breached network, find data of interest, and exfiltrate the information prior to the Conti ransomware payload deployment.
Brute force attacks are frequently used to guess weak credentials of Remote Desktop Protocol (RDP), exploit vulnerabilities in unpatched systems, and use search engine poisoning to make malicious websites show up in the search engine listings giving bogus software. Malware distribution networks like Zloader are utilized, and attacks are carried out after getting credentials by means of vishing or telephone calls.
CISA and the FBI have noticed legit penetration testing tools being utilized to identify cameras, routers, and network-linked storage gadgets that have web interfaces that may be brute-forced. They also noticed the use of legit remote monitoring and management software and remote desktop software as backdoors to retain persistence on the network of victims. The attackers make use of tools like Windows Sysinternals and Mimikatz to elevate privileges and make a lateral movement.
Vulnerabilities identified to be taken advantage of are PrintNightmare (CVE-2021-34527), ZeroLogon (CVE-2020-1472), and the vulnerabilities in Microsoft Windows Server Message Block which the WannaCry ransomware attacks exploited in 2017.
Considering that various strategies, techniques, and procedures are utilized to obtain access to the network of victims, not only one mitigation can be enforced to avoid attacks. CISA and the FBI propose using these mitigations to boost defenses versus Conti ransomware attacks:
- Employ multi-factor authentication
- Segment network and filter traffic
- Check for vulnerabilities and update software
- Get rid of unnecessary software and implement controls
- Use endpoint and detection response solutions
- Restrict resource access over the network, particularly by limiting RDP
- Make user accounts secure
- Back up critical data, store backups offline and test the copy to see if file recovery is achievable