The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Certified Information Systems Auditor (CISA) have issued a warning about increasing number of Conti ransomware attacks aimed against US businesses.
The three federal agencies of the United States advised IT administrators to evaluate the network security condition of their businesses and take vital steps suggested to combat Conti ransomware.
Countermeasures shared by these three agencies include keeping OS and software updated, mandating multi-factor authentication, and adopting network segmentation. These agencies also confirmed that Conti ransomware operators have been responsible for over 400 assaults against US and foreign targets.
An advisory released recently says that CISA and FBI have detected a rise in the use of Conti ransomware in over 400 attacks on domestic and foreign institutions. It further explains that normal Conti ransomware operations involve cybercriminals stealing files, encrypting servers and workstations, and demanding a ransom payment.
“Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence [TA0003] on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges [TA0004] within a domain and perform other post-exploitation and lateral movement tasks [TA0008]. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks,” the advisory reads.
Earlier this May, the FBI informed that Conti operatives have targeted over a dozen US healthcare and first responder groups.
If you haven’t heard of Conti ransomware, it is a proprietary Ransomware-as-a-Service (RaaS) operation said to be managed by Wizard Spider, a Russian-based criminal gang.
Conti shares part of its code with the infamous Ryuk Ransomware, which they used for TrickBot distribution methods when Ryuk’s activities slowed down in July of 2020.
After encrypting the systems of Ireland’s Health Service Executive (HSE) and Department of Health (DoH), the cybercrime group demanded a $20 million ransom from the former.
The Conti gang issued a free decryptor for the HSE after the attack on Ireland’s national healthcare system but warned that the data taken from their network would still be leaked or sold.