FBI and CISA offer Conti ransomware warning

FBI’s cyber division personnel in front of a computer screen. (FBI)
FBI’s cyber division personnel in front of a computer screen. (FBI)

Driving home a level of concern about a criminal actor, the Cybersecurity and Infrastructure Security Agency and FBI released an advisory about the Conti ransomware on Wednesday. The two agencies noted they had observed more than 400 attacks from the criminal group.

“The cybercriminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB), prior to Conti campaigns, and the advisory highlights actions organizations can take right now to counter the threat,” said Rob Joyce, director of cybersecurity at the NSA, in a statement corresponding to the advisory.

The alert covers known details about the Conti group, including tactics its affiliates use to breach networks. These include phishing via email and phone, gimmicked Word documents, stolen RDP credentials, fake SEO software, legitimate pentesting tools, Kerberos attacks nicknamed "Kerberoasting," malware distribution networks like TrickBot, a legacy Microsoft Server vulnerability and recent vulnerabilities PrintNightmare and ZeroLogon. It also includes mitigation advice, indicators of compromise and mapping to the MITRE ATT&CK framework.

Conti differs organizationally from other ransomware as a service groups by paying affiliates a wage rather than a commission for successful attacks.

The advisory follows an FBI flash alert sent to healthcare and first responder groups in May.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.