Dangers Of Conti Ransomware Brought To The Fore By CISA, FBI’s Advisory

September 23, 2021

By a Biometrica staffer

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In Conti attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

In order to protect against Conti attacks, agencies recommended measures including requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

In a detailed release CISA listed out the ways in which Conti actors gained initial access to networks.

  • Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links 
  • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware — such as TrickBot and IcedID, and/or Cobalt Strike — to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
  • Phone calls
  • Fake software promoted via search engine optimization
  • Other malware distribution networks (e.g., ZLoader) 
  • Common vulnerabilities in external assets.

When it came to mitigation, CISA had some recommendations:

  • Use multi-factor authentication
  • Implement network segmentation and filter traffic
  • Scan for vulnerabilities and keep software updated
  • Remove unnecessary applications and apply controls
  • Implement endpoint and detection response tools
  • Limit access to resources over the network
  • Secure user accounts
  • Use the Ransomware Response Checklist in case of infection

In the past, the FBI had implicated Conti in attacks on at least 290 organizations, Zdnet reported.

CISA also noted a key difference in which Conti operators do things from other ransomware attackers. As Conti acts through a ransomware-as-a-service model, the group paid deployers of the ransomware as a wage. With other ransomware, typically affiliates received a cut of the ransom as pay.

Rob Joyce, director of cybersecurity at NSA, believes that criminals running Conti historically target critical infrastructure, such as the Defense Industrial Base (DIB). “NSA works closely with our partners, providing critical intelligence and enabling operations to counter ransomware activities. We highly recommend using the mitigations outlined in this advisory to protect against Conti malware and mitigate your risk against any ransomware attack,” Joyce said.

Conti initially came into the limelight after attacks on healthcare and first responder networks in the U. S. in May 2021. Targets included 911 dispatch carriers, law enforcement agencies, and emergency medical services all of which have been under strain in their efforts to manage effects of the COVID-19 pandemic, Zdnet reported.

Allan Liska, a ransomware expert told Zdnet that the information in the CISA release was well known to industry experts, but that it would serve to educate a broader audience.

“There are a lot of security people who will find this very useful because the tools used by Conti are used by other ransomware groups. For example, rclone is mentioned in the report. I see rclone used by many ransomware groups but rarely by legitimate employees of an organization, so looking for rclone hashes on endpoints could be useful,” Liska said. 

“I also think a lot of people didn’t know that Conti has infected organizations through phone calls. That may be a new threat model for a lot of organizations and one that they have to consider how to defend against. Overall, while it is not a groundbreaking report, it is nice to have so many of Conti’s TTP in a single location rather than combing through 15 different ZDNet articles to find them.”

Conti ransomware was actively targeting unpatched Microsoft Corp. Exchange servers through the same exploit used to target servers earlier in 2021, Silicon Angle reported in early September. Within 48 hours of attackers were able to exfiltrate approximately 1 terabyte of data, and within five days Conti had infected every machine on the network.

SAC Wireless, a subsidiary of Nokia, also revealed that they had been victims of a Conti attack, via a letter sent to current and former employees, ITPro reported.

Following a forensic investigation SAC Wireless found the affected files could contain employees’ details, such as date of birth, home addresses, emails, and phone numbers and even government ID numbers, such as driver’s license, passport, or military ID, Social Security numbers; and more.