The FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency today issued a joint alert warning of increased use of Conti ransomware, which has been seen in more than 400 attacks on US and international organizations, officials report.
Conti is considered a ransomware-as-a-service model; however, variation in its structure differentiates it from a typical affiliate model, the alert states. It's likely that Conti's developers pay the attackers who deploy the ransomware a wage rather than a percentage of the proceeds, officials say.
They list multiple means that Conti actors often use to gain initial network access. These include spear-phishing campaigns that use emails containing malicious attachments or links; stolen or weak Remote Desktop Protocol credentials; phone calls; fake software promoted via search engine optimization; common flaws in external assets; or other malware distribution networks.
"CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces," the alert states. Attackers will exploit legitimate remote monitoring and management software, as well as remote desktop software, to persist on target networks.
A recently leaked "playbook" from Conti attackers revealed that they exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim's environment.
Read the full alert for more details.