FBI, CISA, and NSA Warn Of Escalating Conti Ransomware Attacks
CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) warned today of an increased number of Conti ransomware attacks targeting US organizations.
The three US federal agencies urge enterprise IT admins to review their organizations’ network security posture and implement the immediate actions outlined in the joint advisory to defend against Conti ransomware.
Mitigations shared by CISA, FBI, and NSA include keeping operating systems and software up to date, requiring multi-factor authentication, and implementing network segmentation.
Conti ransomware operators have been behind over 400 attacks that hit US and international entities, according to the three agencies.
“The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations,” the advisory reads.
“In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.”
The FBI also warned in May 2021 that Conti operators have tried to breach the networks of over a dozen US healthcare and first responder organizations.
Who is Conti?
Conti shares some of its code with the notorious Ryuk Ransomware, whose TrickBot distribution channels they started using after Ryuk’s activity started slowing down in July 2020.
Although the DoH blocked Conti from encrypting its systems, the HSE was not as lucky and was forced to take down all IT systems to prevent the ransomware from spreading throughout its network.
After the attack on Ireland’s public healthcare system, the Conti gang released a free decryptor for the HSE while warning that they will still leak or sell the data stolen from their network.
In August, a disgruntled affiliate leaked the gang’s training materials, including info about one of its operators, a manual on deploying various tools such as Cobalt Strike and mimikatz, and numerous help documents allegedly provided to Conti affiliates.