Oct 142021

The U.S. Federal Government Continues Its Focus on Ransomware Attacks: CISA, FBI, and NSA Publish Technical Advisory on the Conti Group

Carly R. Owens, Alan Charles Raul and Stephen W. McInerney
, ,

On September 22, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory (the “Advisory”) outlining the Conti ransomware group’s tactics, techniques, and procedures (“TTPs”) to help companies protect against their attacks. This Advisory is especially notable because it is an example of the type of information sharing promised by the Biden administration, which includes technical details about the Conti group’s TTPs. It also heralds the launch of new website called: StopRansomware.gov.

Background on Conti

The FBI has linked the Conti group to over 400 cyberattacks against organizations worldwide, with 75% of such attacks based in the United States, to steal files, encrypt servers, and demand ransom payment.

These attacks, as Eric Goldstein, the Executive Assistant Director for Cybersecurity at CISA noted, have “real-world consequences.” The cybercrime gang is known for attacking critical infrastructure, including several organizations where IT outages can have significant consequences. For example, Conti targeted the Ireland Health Service Executive in May 2021, resulting in canceled appointments and a disruption of diagnostic services. The FBI reported that this ransomware group also targeted U.S. law enforcement, emergency medical services, dispatch centers, and municipalities; specifically, this group has attacked at least 16 U.S. health and emergency networks.

The Advisory:  Conti’s Tactics, Techniques, and Procedures & the Government’s Defensive Recommendations

Given the prevalence and danger of Conti ransomware group, the Advisory outlines the detailed TTPs of their attacks to provide technical guidance to companies on safeguards to help protect against such attacks.  Some details include:

  • Conti has been known to use a variety of attack vectors to gain access to victims’ networks. The Advisory notes that Conti actors often gain initial access through spearphishing campaigns, stolen/weak Remote Desktop Protocol (RDP) credentials, social engineering phone calls, fake software promoted via search engine optimization, other malware distribution networks, and common vulnerabilities in external assets. Once Conti actors gain access, they have been known to use legitimate remote monitoring and management software and remote desktop software to retain access to victim networks and may also use vulnerabilities in unpatched assets to move across the network.
  • Technical details of Conti attacks. The Advisory includes technical details of Conti’s past attacks, including TTPs during the execution phase, IP addresses known to be associated with Conti, and details from a recently leaked Conti “playbook.”  To review the full technical details, see https://us-cert.cisa.gov/ncas/alerts/aa21-265a.
  • Recommendations to defend against Conti. The Advisory recommends that companies take several steps in order to protect against Conti ransomware attacks. For example, implement multi-factor authentication; secure users accounts by auditing logs and administrative user accounts; restrict access via RDP; implement certain network structure and monitoring tools (g., network segmentation and filter traffic, scan for vulnerabilities, keep software updated, remove unnecessary applications, and utilize endpoint and detection response tools); and use CISA’s Ransomware Response Checklist to determine the best procedures when experiencing a ransomware attack (see p. 11 https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf).

Other Government Efforts to Combat Ransomware

This release follows several recent measures the Federal Government has taken as it continues to ramp up its support for the industry against ransomware attacks. Notably, on May 12, 2021, President Biden issued an Executive Order outlining several actions to improve the Nation’s cybersecurity. More recently, on September 21, 2021, the U.S. Department of the Treasury Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange and published an updated advisory highlighting potential risks for those who facilitate ransomware payments.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Carly R. Owens

New York

cowens@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.