After 400 attacks, feds warn of Conti ransomware

Dive Brief:

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and National Security Agency (NSA) issued an advisory for the Conti ransomware strain after observing more than 400 attacks, according to an announcement from the agencies Wednesday.
Conti uses spear phishing, stolen Remote Desktop Protocol (RDP) credentials, or malicious fake software, alongside other techniques. During execution, the operators use multiple payloads, with one that "reduces the risk of triggering antivirus engines," the advisory said. Operators will also use penetration testing tool Router Scan to look for "brute-force routers, cameras and network-attached storage devices with web interfaces."
CISA recommends multifactor authentication, network segmentation and traffic filters to catch phishing attempts. Companies should also remove applications unnecessary for everyday operations.

Dive Insight:

Several security agencies issued a warning for Ryuk targeting the healthcare industry last October. The warning came several months after researchers suspected Ryuk rebranded as Conti. But the threat group behind the ransomware strains is known for improving its capabilities, establishing itself as a dominant player in using ransomware as a tool.

Ryuk/Conti ransomware strains have relations to threat groups dubbed Wizard Spider by CrowdStrike and UNC1878 by FireEye. In 2020, UNC1878 was responsible for at least one-fifth of Ryuk intrusions, FireEye found, whereas Conti was only used in one instance from 2020 to January 2021. Researchers were careful to separate the malware used in an attack from the actual threat group or cluster.

That sole documented instance using Conti was a contrast to UNC1878's previous motives: chaos. The Conti incident was anchored in data extraction and extortion. It was a pivot that highlighted the threat group's ability to quickly scale operations depending on targets, because Conti is considered a more targeted version of Ryuk.

RiskIQ linked infrastructure related to Conti/Ryuk to the zero-day exploit impacting Microsoft Windows earlier this month, according to research published last week.

"More recently, they have come to rely on a backdoor known as BazaLoader/BazarLoader to deliver payloads, the most common of which is Cobalt Strike," RiskIQ found. "The association of a zero-day exploit with a ransomware group, however remote, is troubling."

The finding could mean a couple of things: ransomware as a service (RaaS) actors have adopted zero-day exploits or nation-state ransomware gangs are leveraging "criminally controlled infrastructure to misdirect and impede attribution," RiskIQ said. The objectivity of the threat actor becomes a little more obscure.

The operational structure of Conti differs from other ransomware as a service (RaaS) models, CISA said. Unlike other RaaS, deployers of the ransomware are paid a wage instead of a piece of a ransom by the developers.

Conti is just shy of $15 million in all-time total, documented payments, according to data from ransomwhe.re. Behind NetWalker, Conti is the most lucrative ransomware strain. This year, however, Conti outranked all other high-profile ransomware groups in payments, including REvil, DarkSide, MountLocker, BlackMatter and Egregor.