Cyber threat actors that were responsible for over 1000 recorded conti ransomware attacks remain active still. Tricot and Cobalt Strike are the two most significant attack vectors. Even though there are no specific cyber threats to the US as of now, the CISA, the FBI, the NSA and the United States Secret Service (USSS) insist all the organizations to review all the mitigations and advisories and apply them accordingly.
Conti ransomware usage has been increased with more than 400 attacks on US and international organizations as observed by the CISA and the FBI. The Conti ransomware attack vector consists of stealing files, encrypting servers and demanding a ransom payment.
To protect against Conti ransomware attacks, the CSA has released a set of advisories which includes implementing multifactor authentication, network segmentation and keeping operating systems and softwares up-to-date.
The CSA has also released the list of domains and MITRE attack vectors that were used for ransomware attacks.
Conti is a RaaS (Ransomware as a Service) based ransomware variant which varies in various aspects. It is believed that the developers of Conti pay the deployers a wage from a successful attack. Their campaigns are mostly:
- Spearphishing emails with trojan files
- Stolen Remote Desktop Protocol (RDP)
- Fake SEO software promotions
- Malware distribution networks and
- Common vulnerabilities exploitation
Recent reports stated that the Conti malware groups have been exploiting unpatched assets to escalate privileges and move laterally. They have also been using open-source Rclone command line program for data exfiltration.
MITRE ATT&CK Techniques
The CSA has released a set of MITRE attack techniques that were used by the Conti Ransomware group. It also explains briefly on how the techniques were related to Conti Ransomware attacks and how hackers were using them. Some of the attack techniques are
- Phishing : Spearphishing Attachment
- Phishing Link : Spearphishing Link
- Remote Desktop attack on Known valid accounts
- Command and Scripting Interpreter : Windows Command Shell
- Native API
- External Remote Services
- Process Injection
- Brute force and many others.
In order to mitigate the Conti Ransomware attack, the NSA, FBI and CISA has given many methods to defend.
- Enforcing MFA for accessing remote sources
- Enabling a DMZ network to remove unregulated traffic between networks
- Enforcing Strong Spam filters in emails
- Remove unwanted applications
- Investigate unauthorized software and many others
The CSA has published a full documentation on the attack scenario and the attack vectors used by Conti ransomware. It is recommended for network administrators and cyber security personnels to follow the given advisories to prevent from Conti ransomware attacks.