In the publication, which was released on Wednesday, CISA, FBI and NSA reported information about the cyber gang behind Conti and technical approaches to uncovering and mitigating possible attacks.
Conti garnered attention earlier this year after a successful breach of Ireland’s Health Service Executive by demanding a $20 million ransom. Reports also link Conti to 400 US and international attacks. It is believed that the cyber group has ties with Wizard Spider, a sophisticated cyber-crime group based in Russia. Armed with a double-extortion approach of threating to both encrypt and expose victim’s data, plus an aggressive business model, Conti has quickly evolved into a ransomware-as-a-service (RaaS) model ransomware variant. Conti developers are likely paying deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack, causing a proliferation of Conti campaigns.
Both public and private sector organizations are advised to take immediate attention on these threats. Conti actors often gain initial access to networks through spear-phishing campaigns, malicious word attachments, stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, other malware distribution networks (e.g., ZLoader), and common vulnerabilities in external assets.
Ransomware resources, communications and infrastructures have become an accessible commodity to threat actors. In concurrence with the advisory report, it is advised that administrators quickly strategize to reduce the risk of an attack by:
• Utilizing multi-factor authentication
• Implementing network segmentation
• Scan for vulnerabilities and keep software updated
• Remove unnecessary applications and apply controls
• Limit access to resources over the network, especially by restricting RDP
• Secure user accounts