The U.S. government has issued a new warning concerning Conti ransomware attacks following a rapid increase in Conti attacks.

The joint alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation states that more than 400 attacks on U.S. and international organizations have been seen recently. The FBI had previously issued a warning on Conti in May.

“In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations and demand a ransom payment,” the alert notes.

The alert explains that though Conti operates on a ransomware-as-a-service model, a variation in its structure differentiates it from a typical affiliate model. CISA believes that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack.

The attack vectors in a typical Conti attack vary among spearphishing campaigns, remote monitoring and management software, the “PrintNightmare” vulnerability and remote desktop software. The PrintNightmare vulnerability was disclosed by Microsoft Corp. in July and affects the Windows Print Spooler service.

“Americans are routinely experiencing real-world consequences of the ransomware epidemic as malicious cyber actors continue to target large and small businesses, organizations, and governments,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a separate statement. “CISA, FBI, and NSA work tirelessly to assess cyber threats and advise our domestic and international partners on how they can reduce the risk and strengthen their own capabilities.”

Organizations are being encouraged to apply mitigations to reduce the risk of compromise by Conti ransomware attacks.

These include using multifactor authentication; implementing network segmentation and filtering traffic, scanning for vulnerabilities and keeping software updates, removing unnecessary applications and applying controls, implementing endpoint and detection response tool, limiting access to resources over the network, especially restricting RDP, and securing user accounts.

Although the mitigation advice seems solid, not everyone agrees.

“We’re seeing a dramatic resurgence of ransomware using malicious Office documents during the pandemic due to the increase in remote work,”  Tony Hadfield, global solution architect at cybersecurity firm Venafi Inc., told SiliconANGLE. “While the typical security control recommendations like network segmentation, 2FA and patching are all helpful, there’s one really simple thing organizations can do that stops ransomware hiding in malicious Office documents in its tracks: code signing macros.”

Robert Golladay, a regional director at network security company Illusive Networks Ltd., noted that the escalation of Conti is not surprising given that it is being seen through TrickBot infections.

“Threat actors are constantly stepping up their game and improving their tools to increase their success rate,” Golladay explained. “And then sharing what works — they effectively operate a ‘GitHub’ for attackers, sharing code once they’ve been successful with a technique.”

Once an attacker is in the network, which inevitably will happen, it won’t take them long to move laterally to target “crown jewels,” he added. “At this point, it’s too late for companies to save their valuable data and assets.”

Image: CISA