Increased Conti ransomware attacks in over 400 instances on US, international organizations

American security agencies reported increased Conti ransomware attacks with over 400 attacks on U.S. and international organizations attempting to steal files, encrypt servers and workstations, and demanding a ransom payment to return stolen sensitive data. The government advisory includes technical details on the threats and mitigation steps that public and private sector organizations can take to reduce their risk to this ransomware. The advisory, however, did not state over what period these attacks had taken place.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) said that while Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. “It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack,” the advisory said.

Wednesday’s advisory comes close to four months after the FBI identified at least 16 Conti ransomware attacks over the last year, targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.

Conti attackers often gain initial access to networks through spearphishing campaigns using tailored emails that contain malicious attachments or malicious links, according to an alert issued by the US security agencies. Some malicious Word attachments contain embedded scripts that can be used to download or drop other malware, such as TrickBot and IcedID, and/or Cobalt Strike, to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware. 

Apart from these, organizations were also warned of stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted using search engine optimization, other malware distribution networks such as ZLoader, and common vulnerabilities in external assets.

Conti ransomware attacks are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The hackers use tools already available on the victim network and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz to obtain users’ hashes and clear-text credentials, which enable the attackers to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the hacker also uses TrickBot malware to carry out post-exploitation tasks.

In a recently leaked threat actor ‘playbook,’ Conti ransomware attacks also exploit vulnerabilities in unpatched assets, to escalate privileges and move laterally across a victim’s network, according to the alert. They are believed to have exploited 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, PrintNightmare vulnerability in Windows Print spooler service, and Zerologon vulnerability in Microsoft Active Directory Domain Controller systems.

Using the MITRE ATT&CK common lexicon of adversary behavior, the advisory highlights observed Conti attackers’ techniques used to conduct their exploits, such as spearphishing campaigns, remote monitoring, and management software, the PrintNightmare vulnerability, and remote desktop software. Also, artifacts from a recently leaked hacker ‘playbook’ identify Internet Protocol (IP) addresses Conti hackers have used for their malicious activity. Organizations should read and implement the recommended mitigations and continue to be vigilant against the ongoing ransomware threat.

To secure systems against Conti ransomware attacks, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

If an organization should become a victim of ransomware, CISA, FBI, and NSA strongly discourage paying the ransom. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal hackers to engage in the distribution of ransomware, and does not guarantee that a victim’s files will be recovered. As a cybersecurity community, one of the best ways to prevent future ransomware attacks and hold these criminals accountable is for cyberattack victims to report it.

In a recent insight, the World Economic Forum (WEF) revealed that the commodification and commercialization of ransomware and disinformation have made cybercrime increasingly possible in the era of ‘digital everything.’ Such attacks negatively affect all sorts of people and businesses, as well as distorting elections and public health initiatives.

“The commodification and commercialization of ransomware seems to have peaked with the rise in ransomware as a service (RaaS) attacks,” the WEF said in its insight. “Such methods involve ransomware developers working with affiliate groups that distribute their ransomware and then benefit economically from the attacks. The ransomware groups can provide these affiliates with tools so that they do not even need advanced skills to participate in the attack.”

“Understanding the relationships, connections and behaviours of those involved – that is, the economics of cybercrime – can uncover the incentives that drive cybercriminals,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.