By a Biometrica staffer
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In Conti attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
In order to protect against Conti attacks, agencies recommended measures including requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.
In a detailed release CISA listed out the ways in which Conti actors gained initial access to networks.
When it came to mitigation, CISA had some recommendations:
In the past, the FBI had implicated Conti in attacks on at least 290 organizations, Zdnet reported.
CISA also noted a key difference in which Conti operators do things from other ransomware attackers. As Conti acts through a ransomware-as-a-service model, the group paid deployers of the ransomware as a wage. With other ransomware, typically affiliates received a cut of the ransom as pay.
Rob Joyce, director of cybersecurity at NSA, believes that criminals running Conti historically target critical infrastructure, such as the Defense Industrial Base (DIB). “NSA works closely with our partners, providing critical intelligence and enabling operations to counter ransomware activities. We highly recommend using the mitigations outlined in this advisory to protect against Conti malware and mitigate your risk against any ransomware attack,” Joyce said.
Conti initially came into the limelight after attacks on healthcare and first responder networks in the U. S. in May 2021. Targets included 911 dispatch carriers, law enforcement agencies, and emergency medical services — all of which have been under strain in their efforts to manage effects of the COVID-19 pandemic, Zdnet reported.
Allan Liska, a ransomware expert told Zdnet that the information in the CISA release was well known to industry experts, but that it would serve to educate a broader audience.
“There are a lot of security people who will find this very useful because the tools used by Conti are used by other ransomware groups. For example, rclone is mentioned in the report. I see rclone used by many ransomware groups but rarely by legitimate employees of an organization, so looking for rclone hashes on endpoints could be useful,” Liska said.
“I also think a lot of people didn’t know that Conti has infected organizations through phone calls. That may be a new threat model for a lot of organizations and one that they have to consider how to defend against. Overall, while it is not a groundbreaking report, it is nice to have so many of Conti’s TTP in a single location rather than combing through 15 different ZDNet articles to find them.”
Conti ransomware was actively targeting unpatched Microsoft Corp. Exchange servers through the same exploit used to target servers earlier in 2021, Silicon Angle reported in early September. Within 48 hours of attackers were able to exfiltrate approximately 1 terabyte of data, and within five days Conti had infected every machine on the network.
SAC Wireless, a subsidiary of Nokia, also revealed that they had been victims of a Conti attack, via a letter sent to current and former employees, ITPro reported.
Following a forensic investigation SAC Wireless found the affected files could contain employees’ details, such as date of birth, home addresses, emails, and phone numbers and even government ID numbers, such as driver’s license, passport, or military ID, Social Security numbers; and more.
By a Biometrica staffer On Wednesday, Dec. 15 the U.S. and Australia signed a landmark...
Read articleBy a Biometrica staffer Earlier this month, the Bureau of Justice Statistics (BJS) released data...
Read articleBy a Biometrica staffer Late last week, the Senate Judiciary Committee approved the Open Courts...
Read article
