Ransomware-as-a-service
CISA, FBI Issue Joint Alert on Increased Use of Conti Ransomware
The Cybersecurity and Infrastructure Security Agency and the FBI have issued a joint alert over the increasing prevalence of a certain ransomware-as-a-service model.
The Conti ransomware saw increased use in more than 400 attacks on U.S. and international organizations, including health care and first responder networks, CISA and the FBI said Wednesday.
To mitigate the threat, the security agencies recommended steps such as adopting multi-factor authentication, implementing network segmentation and keeping operating systems and software up to date.
Conti’s deployers reportedly compromise networks through spearphishing campaigns, stolen or weak Remote Desktop Protocol credentials, phone calls, fake software, malware distribution networks and common vulnerabilities in external assets.
The malicious actors then use legitimate remote monitoring and management software and remote desktop software as backdoors to maintain their presence on the victim’s networks.
Security experts believe that the malware spreads by exploiting unpatched assets such as the 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, the PrintNightmare vulnerability in Windows and the Zerologon vulnerability in Microsoft Active Directory Domain Controller systems.
Conti’s developers likely pay its users a wage instead of taking a cut of the illegal profits made by affiliate cyber actors, as is the case in a typical ransomware-as-a-service setup, CISA said.
In early June, CISA released guidance for the effective use of Mitre ATT&CK, which the government describes as a framework for assessing cybersecurity risks and prioritizing threats.
ATT&CK serves as a repository of adversary information that security analysts can access to understand the techniques used by malicious hackers, including perpetrators of ransomware attacks.
Category: Cybersecurity