Conti Ransomware Was Released by the CSA
Joint statement with the FBI and the NSA warns of increased Conti Ransomware attacks
2024-01-17
'%3e%3cpath%20d='M25.1219%206.1263C25.1397%206.38418%2025.1397%206.64212%2025.1397%206.9C25.1397%2014.7658%2019.3656%2023.8289%208.81221%2023.8289C5.56092%2023.8289%202.54063%2022.8526%200%2021.1579C0.461947%2021.2132%200.906066%2021.2316%201.38579%2021.2316C4.06849%2021.2316%206.53808%2020.2921%208.51017%2018.6895C5.98732%2018.6342%203.87309%2016.9211%203.14465%2014.5632C3.50001%2014.6184%203.85532%2014.6552%204.22845%2014.6552C4.74367%2014.6552%205.25893%2014.5815%205.7386%2014.4526C3.10916%2013.9%201.13701%2011.5053%201.13701%208.61315V8.53949C1.90095%208.9816%202.78935%209.25791%203.73091%209.29471C2.18521%208.22627%201.17256%206.40261%201.17256%204.33943C1.17256%203.23419%201.45677%202.22103%201.95427%201.33681C4.77916%204.94734%209.02539%207.30519%2013.7868%207.56313C13.698%207.12102%2013.6446%206.66054%2013.6446%206.20001C13.6446%202.92102%2016.203%200.25%2019.3832%200.25C21.0355%200.25%2022.5279%200.968419%2023.5761%202.12895C24.8731%201.87106%2026.1167%201.37367%2027.2183%200.692109C26.7918%202.07372%2025.8858%203.23425%2024.6954%203.97104C25.8503%203.84215%2026.9696%203.5105%2028%203.05002C27.2184%204.22892%2026.2412%205.27888%2025.1219%206.1263Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24586'%3e%3crect%20width='28'%20height='25.0526'%20fill='%230671C0'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
The cyber threat actors responsible for more than 1000 registered conti ransomware attacks are still active. Tights and cobalt are the two main attack vectors. Although there are currently no specific cyber threats in the United States, the CISA, the FBI, the NSA and the United States Secret Service (USSS) urge all organizations to review all mitigation measures and their views and implement them accordingly.
The use of Conti ransomware programs has increased with more than 400 attacks on US and international organizations, as observed by CISA and the FBI. The attack vector of Conti ransomware consists of file theft, server encryption and ransom payment requests. Conti, malware, ransom attacks against CSA for protection, multi-factor authentication implementation, network segmentation, and a number of operating systems and software related to updating advised. The CSA also released a list of MITRE attack sites and vectors used to assist with ransomware attacks.
Technical Details
Conti is a variant of a ransomware program based on raas (Ransomware as a Service), which differs in different ways. It is believed that Conti developers are paying developers a reward for a successful attack. Their campaigns usually include:
- Sending emails with Trojan horse files over the Remote Desktop Protocol (RDP),
- Finding fake SEO software,
- Promoting on malware distribution networks,
- And exploiting common vulnerabilities.
Recent reports say that Conti’s malware groups are using unsolicited resources to increase privileges and move sideways. They also used an open-source Rclone command-line program to filter the data.
Mitre Attack Techniques
The CSA has a number of MITRE attack methods used by the Conti ransomware group. It also briefly describes how these methods are connected to Conti ransomware attacks and how hackers use them.Some of the assault methods include:
- Attachment Phishing: Spearphishing
- Remote Desktop attack on known legitimate accounts using
- Phishing Link: Spearphishing Link
- Windows Command Shell Native API External Remote Services Process Injection Command and Scripting Interpreter
- Many more, such as brute force.
Mitigations
The NSA, FBI, and CISA have provided various techniques to guard against the Conti Ransomware attack.
- Using Multi-Factor Authentication (MFA) to gain access to remote sources
- Using a DMZ network to eliminate uncontrolled network traffic
- Enforcing Emails with strong anti-spam filtering
- Remove any applications that you don’t want.
- Look into unlicensed software and a variety of other issues.
- The CSA has released a detailed report on the Conti ransomware assault scenario and attack pathways.
- To avoid Conti ransomware attacks, network administrators and cyber security workers are advised to follow the provided advisories.
SHARE ON