Conti Ransomware Used to Steal Corporate Documents
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory bulletin. The Cybersecurity Advisory (CSA) warns that cybercriminals are increasingly using Conti ransomware to attack international corporations to steal documents and encrypt IT networks.
Conti ransomware has been used in over 400 attacks on U.S. and international organizations.
Attackers who use Conti ransomware are known to exploit remote monitoring software as well as remote desktop software (RDP) used by tech support to gain access to corporate networks. The attackers maintain backdoors into compromised machines to maintain a persistent connection.
“While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack,” says the advisory.
A ransomware-as-a-service model is one in which a developer writes and maintains ransomware computer coding. To make money the developer rents out the ransomware to other hackers who then give the developer a percent of any payment collected from a cyberattack.
Conti ransomware is spread through spear phishing campaigns, malicious MS Word documents, stolen remote desktop protocol (RDP) credentials, and fake software. Some hackers may be so bold as to call into an organization and convince tech support to send a password reset link that they use to hack into a network.
CISA recommends to following to stop Conti ransomware attacks
- Update operating systems, apps, and software
- Use multi-factor authentication (MFA) such as SMS text and authenticator app
- Implement network segmentation to minimize attacks
- Remove unnecessary applications
- For RDP access, configure access controls under the principles of least privilege
Conti ransomware can be delivered using TrickBot malware.
Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity. Visit the U.S. government’s official website StopRansomware.gov for more guidance on ransomware mitigation.