US CISA, FBI, and NSA warn an escalation of Conti ransomware attacks

CISA, FBI, and the NSA warned today of an escalation of the attacks of the Conti ransomware gang targeting US organizations.

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) are warning of an increased number of Conti ransomware attacks against US organizations.

The advisory urges organizations to take supplementary measures to increase their level of security.

According to the three US agencies, Conti ransomware operators already conducted over 400 attacks against US and international organizations.

“The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.” reads the advisory. “To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.”

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The advisory published by the US agencies provides the following mitigations:

Use multi-factor authentication.
Implement network segmentation and filter traffic.
Scan for vulnerabilities and keep software updated.
Remove unnecessary applications and apply controls.
Implement endpoint and detection response tools.
Limit access to resources over the network, especially by restricting RDP.
Secure user accounts.
Use the Ransomware Response Checklist in case of infection.

In May, the Federal Bureau of Investigation (FBI) revealed that the Conti ransomware gang has hit at least 16 healthcare and first responder organizations.

In August, an affiliate of the Conti RaaS has leaked the training material provided by the group to the customers of its RaaS, he also published the info about one of the operators.

The Conti operators offer their services to their affiliates and maintain 20-30% of each ransom payment.

The affiliate leaked the IP addresses for Cobalt Strike C2 servers and an archive of 113 MB that includes training material and tools shared by the Conti operators with its network to conduct ransomware attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.