Driving home a level of concern about a criminal actor, the Cybersecurity and Infrastructure Security Agency and FBI released an advisory about the Conti ransomware on Wednesday. The two agencies noted they had observed more than 400 attacks from the criminal group.
“The cybercriminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB), prior to Conti campaigns, and the advisory highlights actions organizations can take right now to counter the threat,” said Rob Joyce, director of cybersecurity at the NSA, in a statement corresponding to the advisory.
The alert covers known details about the Conti group, including tactics its affiliates use to breach networks. These include phishing via email and phone, gimmicked Word documents, stolen RDP credentials, fake SEO software, legitimate pentesting tools, Kerberos attacks nicknamed "Kerberoasting," malware distribution networks like TrickBot, a legacy Microsoft Server vulnerability and recent vulnerabilities PrintNightmare and ZeroLogon. It also includes mitigation advice, indicators of compromise and mapping to the MITRE ATT&CK framework.
Conti differs organizationally from other ransomware as a service groups by paying affiliates a wage rather than a commission for successful attacks.
The advisory follows an FBI flash alert sent to healthcare and first responder groups in May.