On September 22nd, the Cybersecurity & Infrastructure Security Agency (CISA) released an alert regarding a spike in the use of Conti ransomware. Conti ransomware has been used in attacks more than 400 times against U.S based and international organizations. Back in May, the FBI also released a flash on Conti Ransomware and its impact on healthcare and first responder networks.
Conti ransomware is classified as a ransomware-as-a-service (RaaS) model with a small difference in how its threat actors are compensated. Rather than paying a percentage of the earning from a successful attack, they pay a wage to the individuals who deploy the ransomware. CISA advises Conti typically gains access to networks in the following ways:
- Spear phishing containing malicious links or attachments. Once the link is clicked or the attachment is opened, malware is usually placed on the system to help gain persistent access with Command and Control (C2) operated by software like Cobalt Strike. nGuard published a security advisory on Cobalt Strike earlier this year.
- Stolen or weak remote desktop protocol (RDP) credentials.
- Phone calls.
- Fake software promoted through search engine optimization (SEO).
- Other malware distribution networks (ZLoader).
- Common vulnerabilities in external assets.
Recently, a Conti ransomware playbook was leaked, giving insight on how the organization operates. Some of the main takeaways are how Conti gains access, and the IP addresses they use for their Cobalt Strike C2 servers. Conti has been taking advantage of the recent PrintNightmare vulnerability, Zerologon vulnerability, and the 2017 Windows SMB 1.0 vulnerabilities. A few IPs they are known to use for their C2 operations are:
It is recommended you block these IPs in your firewall to prevent any type of inbound or outbound connection and then be alerted if there is any connection attempts.
To reduce risk, CISA, FBI, and NSA and recommending the following mitigations:
- Implement multi-factor authentication (MFA) to remotely access networks
- Implement network segmentation and filter traffic. This will make it more difficult for ransomware to spread should it find its way into your network.
- Scan for vulnerabilities and keep software updated.
- Remove unnecessary applications and apply controls.
- Implement endpoint detection and response tools.
- Limit access to resources, especially RDP.
- Secure user accounts.
- If infected, use the Ransomware Response Checklist.