How to Scale End-to-End Observability in AWS Environments

Security: Conti Ransomware Gangs Increase Attacks on International Organizations

News on security agencies' investigation of the rising attacks on organizations by ransomware experts.

Oct. 13, 2021, 10:04 p.m.

TL;DR

Security agencies alert organizations on the rising attacks of Conti ransomware and advice on what to do to prevent these attacks.

After the attack was concluded, other activities included the usage of Trickbot malware for post-attack manipulations.

Key Facts

1
Conti Ransomware (RaaS) was used in over 400 attacks
2
Affiliates of the contigang carry out attacks
3
Possible ways through which these attacks are being initiated were highlighted.
4
Mitigations such as software updates and multi-factor authentication can be used to prevent these attacks.

Details

An investigation between the Federal Bureau of Investigation (FBI) and The Cybersecurity and Infrastructure Security Agency (CISA) reported increased use of the Conti ransomware in over 400 attacks within the US and International Organizations. The attacks involved stealing files, encrypting servers, encrypting workstations, and a demand for large sums of money in ransom.

The Conti ransomware was observed to be a ransomware-as-a-service (RaaS) model as it was deployed by different affiliates of the Conti gang in different attacks. The affiliates then get paid a pre-agreed fee as opposed to a part of the funds received as ransom from the victims.

The attacks were initiated by infiltrators gaining access to networks through a phishing email containing malicious contents in the form of embedded scripts, often with links to download other malware, including Trickbot and CobaltStrike. The Conti gang could also gain access through a host of other means listed in the report, including phone calls, promotion of fake software promoted by the search engines, malware distributors, common vulnerabilities in external assets.

In escalating the attacks on their victims, the Conti intruders were reported to use part of the victim's tools to consistently gain more ground in the victim's network. Remote monitoring software and remote desktop software were used as backdoors to maintain persistence during the attack. When the need for external tools arose, the intruders were found to have used a couple of tools like the Windows Sysinternals and mimikatz. After the attack was concluded, other activities included the usage of Trickbot malware for post-attack manipulations.

The security agencies advised organizations to use mitigation to protect against the possibilities of a Conti attack. This mitigation included organizations employing multi-factor authentication, network segmentation, and frequent filtering of traffic. They also advised a periodic scan for vulnerabilities, updating software regularly, using tools that ensure a response to endpoint detection, reducing and monitoring access to resources that can be accessed over the network, secure user accounts, and restricting RDP. The mitigation advice was, however, not welcomed by some people.

The report owed the increase in these attacks to the work-from-home setup of many organizations as workers were no longer within the secure firewalls of their various organizations. The report also mentioned the intruders constantly sterling up their game by improving the tools used in performing these attacks and circulating the results on what seemed to be a GitHub forum for attackers.

The attacks happen so fast that it would already be too late for the victim organizations to salvage by the time they are noticed. The attackers go for the mainframe of the networks and infiltrate the major networks.