The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert over the Conti ransomware.

The warning, published September 22, stated that the agencies observed the increased use of Conti ransomware in more than 400 attacks on US and international organisations. 

The alert explains that typically in Conti ransomware attacks, threat actors steal files, encrypt servers and workstations, and demand a ransom payment.

The alert read: ”While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.”

Threat actors often gain initial access to networks through; 

  • Spearphishing campaigns using tailored emails that contain malicious attachments or links;
  • Stolen or weak Remote Desktop Protocol (RDP) credentials;
  • Phone calls;
  • Fake software promoted via search engine optimisation;
  • Other malware distribution networks; and
  • Common vulnerabilities in external assets.

In the execution phase, Conti actors run a getuid payload, then use a more aggressive payload to lower the risk of triggering antivirus engines.

”Cobalt CIO Andrew Obadiru told Infosecurity Magazine: “To protect yourself from becoming the next victim of a Conti attack, I recommend business leaders deploy the following security safeguards: (1) invest in email filtering and phishing detection capabilities; (2) protect and properly secure your remote desktop platform connectivity, (3) perform regular backup testing, and (4) ensure your backups are offline.”