Increased use of Conti ransomware in more than 400 attacks on the U.S. and international organizations has been observed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The agencies issued a joint advisory listing with the technical details of the attacks and suggestions to safeguard the organizations’ systems against the Conti attack.
Protect against the #Conti #ransomware threat using the #cybersecurity guidance from @CISAgov, @FBI and NSA. Understand Conti group TTPs and take immediate action: https://t.co/Fa1jQdtyoP pic.twitter.com/3Tt3GVorkU
— NSA Cyber (@NSACyber) September 22, 2021
In Conti ransomware attacks, hackers access an unprotected RDP port, use email phishing, malicious attachments, downloads, or vulnerabilities to gain access to a network. These cyber actors then steal files, encrypt servers and workstations, and demand ransom.
Conti is considered a ransomware-as-a-service (RaaS) model; however, its structure differs from a typical affiliate model. According to the officials, Conti’s developers are said to pay the attackers a wage rather than a percentage of the proceeds.
It was observed that the threat actors made use of Router Scan, a penetrating testing tool to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces, among other techniques.
The following recommendations have been issued by CISA, FBI, and NSA that network defenders must apply to abate the risk of compromise by Conti ransomware attacks.
- Use multi-factor authentication – ensure multi-factor authentication for remote access from external sources.
- Implement network segmentation and filter traffic – to restrict the spread of ransomware there must be strict segmentation between networks and functions.
- Eliminate unregulated communication between networks. Network traffic must be filtered to prohibit ingress and egress communications with known malicious IP addresses.
- Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program and create awareness among users to refrain from visiting malicious websites or opening malicious attachments.
- Have a URL blacklist and/or whitelist in place to prevent users from accessing malicious websites.
- Scan for vulnerabilities and keep software updated. Use a centralized patch management system. Include regular scans of network assets and upgrade software and operating systems, applications, and firmware on network assets at defined intervals.
- Remove unnecessary applications and apply controls. Applications deemed unnecessary for daily operations should be deleted.
- Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations.
- Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
- Implement endpoint and detection response tools. Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
Conti ransomware is an ongoing threat to U.S. and International organizations. See our Joint Advisory with @FBI & @NSACyber for immediate actions that you can take to protect your networks against it: https://t.co/QN7fEyndpe #Conti #Ransomware pic.twitter.com/pZqLZo8lZk
— Cybersecurity and Infrastructure Security Agency (@CISAgov) September 22, 2021
According to the 2021 Cyber Threat Report from SonicWall, ransomware attacks have increased rapidly, surpassing the number of attacks in 2020 and the first half of 2021. The report revealed that over 304.7 million ransomware attacks were reported globally in H1 2021, exceeding 304.6 million attacks in 2020, a 151% increase. High-profile extortion attacks on Colonial Pipeline, JBS Foods, health care, energy sectors, and the recent Kaseya attack have severely disrupted operations of organizations across the globe.
Rewards for Justice Reporting
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.