In the United States, the federal CISA and National Security Agency (NSA) and the FBI have observed over 400 attacks using Conti ransomware against US and other organisations to steal files, encrypt servers and workstations, and demand a ransom payment to return stolen sensitive data.
While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model, say the agencies. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack.
At the Cybersecurity and Infrastructure Security Agency (CISA), Eric Goldstein, Executive Assistant Director for Cybersecurity, said: “Americans are routinely experiencing real-world consequences of the ransomware epidemic as malicious cyber actors continue to target large and small businesses, organisations, and governments.
“CISA, FBI, and NSA work tirelessly to assess cyber threats and advise our domestic and international partners on how they can reduce the risk and strengthen their own capabilities. We encourage Americans to visit stopransomware.gov to learn how to improve their own cybersecurity to mitigate risk of becoming a victim of ransomware.”
And Assistant Director Bryan Vorndran of the FBI’s Cyber Division, said: “The FBI, along with our partners at CISA and NSA, is committed to providing resources in an effort to help public and private sector entities protect their systems against ransomware attacks.
“Our collaborative partnerships and common sense of purpose are essential to our collective fight and when combined with our world-class capabilities, we can discourage this criminal behaviour by enacting a wide range of consequences against these malicious cyber actors.”
Rob Joyce, Director of Cybersecurity at NSA, said: “The cyber criminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB), prior to Conti campaigns, and the advisory highlights actions organisations can take right now to counter the threat.
“NSA works closely with our partners, providing critical intelligence and enabling operations to counter ransomware activities. We highly recommend using the mitigations outlined in this advisory to protect against Conti malware and mitigate your risk against any ransomware attack.”
Like the authorities in other countries, the CISA, FBI and NSA strongly discourage paying a ransom. Paying they point out may embolden adversaries to target others, encourage other criminals to engage in the distribution of ransomware, and does not guarantee that a victim’s files will be recovered.
Comment
At the cyber firm Attivo Networks, Tony Cole, Chief Technology Officer said that 2021 has seen a significant spike in ransomware attacks and the size of payout demands. “The Verizon Data Breach Investigations Report (DBIR) says that ransomware attacks doubled in 2020, which doesn’t include the spate of attacks seen this year. Attackers are working overtime to compromise systems as quickly as possible, stealing data and encrypting critical systems to hold companies hostage for payment.
“Adversaries continue to break into systems via simple phishing emails that compromise an initial endpoint. From there, it’s not that difficult for them to masquerade as a legitimate user using the credentials they stole on from the initial incursion. With that user’s credentials, they conduct queries to find targets in the enterprise Active Directory system, steal more credentials with elevated privileges, and rinse and repeat until they have gained access to their target. Then, in the case of the 400 previous Conti victims, they can steal corporate data, encrypt systems, gain control over security settings, and begin the hostage process for a ransom.
“To counter these challenges, organisations must understand that they can’t prevent all attacks. They must put in place systems that detect in-network lateral movement and credential misuse, look for privilege escalation, and protect identity management systems such as Active Directory. Without this visibility, we will continue to read about these large successful ransomware attacks for the foreseeable future.”
