NSA Issues Advisory on Conti Ransomware

<p>Increased activity from a big player such as Conti, a strain that displays crossovers with the notorious RYUK ransomware, undoubtedly raises alarm bells across the threat landscape. This is a strain known to actively target organisations within the United States, a country which in 2021 fell victim to some of the largest and most destructive ransomware attacks the community has witnessed thus far.</p>
<p>With the disappearance of REvil earlier this year, many affiliates shifted strains, with Conti being one of the popular variants adopted by these criminals, explaining this rapid increase in attack attempts, with the FBI confirming that they have witnessed at least 400 individual attacks against domestic and foreign institutions.</p>
<p>This year Conti successfully disseminated a huge attack against Ireland’s Health Service Executive (HSE) and Department of Health (DoH), one which demanded $20 million, and Irelands Health Service is still recovering from this. The FBI has confirmed that healthcare continues to be one of the most targeted sectors amongst Conti’s attack efforts.</p>
<p>Here we have yet another sophisticated and successful ransomware-as-a-service (RaaS) strain operating out of Russia. Conti is a strain known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors, to maintain persistence on victim networks. Legitimate tools such as Sysinternals and Mimikatz are then utilised on the victim’s network to obtain credentials and escalate privileges, before moving laterally across the network and deploying the Conti malware.</p>
<p> </p>
<p>Adopting multi-factor authentication (MFA), consistently scanning, and patching vulnerabilities, securing your users accounts, implementing network segmentation and limiting access, especially regarding RDP are all critical recommendations for organisations in their fight against Conti.</p>