On September 22, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory (the “Advisory”) outlining the Conti ransomware group’s tactics, techniques, and procedures (“TTPs”) to help companies protect against their attacks. This Advisory is especially notable because it is an example of the type of information sharing promised by the Biden administration, which includes technical details about the Conti group’s TTPs. It also heralds the launch of new website called: StopRansomware.gov.
Background on Conti
The FBI has linked the Conti group to over 400 cyberattacks against organizations worldwide, with 75% of such attacks based in the United States, to steal files, encrypt servers, and demand ransom payment.
These attacks, as Eric Goldstein, the Executive Assistant Director for Cybersecurity at CISA noted, have “real-world consequences.” The cybercrime gang is known for attacking critical infrastructure, including several organizations where IT outages can have significant consequences. For example, Conti targeted the Ireland Health Service Executive in May 2021, resulting in canceled appointments and a disruption of diagnostic services. The FBI reported that this ransomware group also targeted U.S. law enforcement, emergency medical services, dispatch centers, and municipalities; specifically, this group has attacked at least 16 U.S. health and emergency networks.
The Advisory: Conti’s Tactics, Techniques, and Procedures & the Government’s Defensive Recommendations
Given the prevalence and danger of Conti ransomware group, the Advisory outlines the detailed TTPs of their attacks to provide technical guidance to companies on safeguards to help protect against such attacks. Some details include:
- Conti has been known to use a variety of attack vectors to gain access to victims’ networks. The Advisory notes that Conti actors often gain initial access through spearphishing campaigns, stolen/weak Remote Desktop Protocol (RDP) credentials, social engineering phone calls, fake software promoted via search engine optimization, other malware distribution networks, and common vulnerabilities in external assets. Once Conti actors gain access, they have been known to use legitimate remote monitoring and management software and remote desktop software to retain access to victim networks and may also use vulnerabilities in unpatched assets to move across the network.
- Technical details of Conti attacks. The Advisory includes technical details of Conti’s past attacks, including TTPs during the execution phase, IP addresses known to be associated with Conti, and details from a recently leaked Conti “playbook.” To review the full technical details, see https://us-cert.cisa.gov/ncas/alerts/aa21-265a.
- Recommendations to defend against Conti. The Advisory recommends that companies take several steps in order to protect against Conti ransomware attacks. For example, implement multi-factor authentication; secure users accounts by auditing logs and administrative user accounts; restrict access via RDP; implement certain network structure and monitoring tools (g., network segmentation and filter traffic, scan for vulnerabilities, keep software updated, remove unnecessary applications, and utilize endpoint and detection response tools); and use CISA’s Ransomware Response Checklist to determine the best procedures when experiencing a ransomware attack (see p. 11 https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf).
Other Government Efforts to Combat Ransomware
This release follows several recent measures the Federal Government has taken as it continues to ramp up its support for the industry against ransomware attacks. Notably, on May 12, 2021, President Biden issued an Executive Order outlining several actions to improve the Nation’s cybersecurity. More recently, on September 21, 2021, the U.S. Department of the Treasury Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange and published an updated advisory highlighting potential risks for those who facilitate ransomware payments.