Ransomware attacks have increased exponentially goes without saying. Various directives, warnings, and guides have been released by federal agencies to help businesses and individuals cope with the repercussions of such attacks and preventative measures. Now, the federal agencies issued a warning about an increase in attacks by Conti ransomware.
What’s the issue?
The CISA, the FBI, and the NSA published a joint alert, warning organizations of increased Conti activity. It states that the ransomware has been, so far, used in more than 400 attacks in the U.S. and other countries. The alert, furthermore, provides technical information on the attacks and recommendations to reduce risks. This alert was issued right after two farming cooperatives fell victim to ransomware attacks.
Cause of concern
While Conti operates a RaaS business model, it is dissimilar to its contemporaries. The gang doesn’t pay a ransom cut to its affiliates but pays a wage to the ransomware deployers.
The threat actor uses a myriad of tools and methods—spear-phishing campaigns, remote desktop software, and remote monitoring and management software—to infiltrate systems.
The spear-phishing campaigns have been observed to contain malicious links or attachments.
The FBI and the CISA have observed the actors scanning and brute-forcing routers, cameras, and NAS devices with web interfaces.
In some cases, Conti also leverages the TrickBot malware to conduct post-exploitation chores.
A bit about Conti
The group came out of the woodwork in 2020 and made a name for itself by targeting hundreds of healthcare facilities, including a massive attack on Ireland’s Health Service Executive, and educational facilities.
The ransomware shares some of its code with Ryuk ransomware.
In August, an unhappy affiliate leaked sensitive information about the group’s workings. The information included screenshots of IP addresses used by the gang and an archive that contained training materials for new recruits.
The bottom line
The federal agencies reckon that the gang has also threatened organizations via phone calls. The expansive new threat model can become pretty difficult for organizations to deal with. The report can also prove to be helpful in case of attacks by other ransomware as they use the same tools as Conti. Some of the security recommendations include using MFA, implementing traffic filters and network segmentation, patching software, and enforcing incident response tools.