The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued an update on Conti Ransomware as attacks on U.S. businesses pass the 1,000 mark.
The update includes information gathered from the recent leak of internal private messages between gang members by a Ukrainian researcher, who also released the source code for the ransomware and administrative panels in response to the gang’s post announcing support for Russia in the ongoing war with Ukraine. CISA points out that there are no specific or credible cyber threats to the United States at this time, but the Conti ransomware gang has targeted many U.S. firms in the past and attacks have increased in recent months.
The Conti ransomware gang is known for using double extortion tactics, where files are exfiltrated prior to data encryption and threats are issued to publish the data if the ransom is not paid. The gang has followed through on those threats in many cases and has published stolen data on its leak site when victims have refused to pay the ransom.
CISA explains that while the Conti ransomware operation is considered ransomware-as-a-service, the gang does not operate under the typical RaaS model where affiliates are recruited to conduct attacks for a share of the profits, instead, the gang is believed to pay its affiliates a wage for conducting attacks.
CISA explained that in the past the gang has used the TrickBot Trojan to gain access to networks and the use of Cobalt Strike is also common; however, the Conti ransomware gang is believed to have recruited the developers of the TrickBot Trojan and work on the malware is believed to have stopped with the gang now favoring BazarBackdoor as it is far stealthier.
The gang is known to use spear phishing emails with malicious attachments or hyperlinks, with the attachments often Word documents with malicious macros that download malware such as IcedID and Cobalt Strike. The gang has previously used stolen RDP credentials and brute force tactics to guess weak RDP credentials, vishing, fake software promoted through search engine poisoning, malware networks such as ZLoader, and common unpatched vulnerabilities to gain initial access to victim networks such as the 2017 Windows Server Message Block 1.0 vulnerability, ZeroLogon, and PrintNightmare.
The gang is also known to exploit legitimate remote monitoring and management software and remote desktop software to maintain persistence, and Windows Sysinternals and Mimikatz to obtain users’ hashes and clear-text credentials.
CISA has added around 100 domains that are being used by the gang for their malicious activities, although some of those domains may have already been abandoned. Network defenders have been advised to block all of the domains and also implement the recommended mitigations stated in the AA21-265A Conti Ransomware Alert.