The FBI and Cybersecurity and Infrastructure Security Agency are warning of the increased use of Conti ransomware after more than 400 attacks on American and international organizations were reported, the organizations said Sept. 22.
Five things to know:
- During most Conti ransomware attacks, hackers steal files, encrypt servers and demand a ransom payment, according to a news release. Conti actors usually gain access to the network through spear phishing campaigns, stolen desktop credentials, phone calls and fake software promoted on search engines.
- CISA and the FBI examined a leaked playbook, which showed Conti hackers exploit vulnerabilities in unpatched assets to access a victim's network. Commonly used vulnerabilities include Windows' "PrintNightmare", 2017 Microsoft server message block and "Zerologon" used in Microsoft's directory domain.
- Conti ransomware can stop up to 146 Windows services related to backup, security, database and email solutions by using net stop. Conti ransomware can delete Windows Volume Shadow Copies.
- Conti ransomware can spread itself by infecting other remote machines through shared drives on the network.
- After the hackers steal and encrypt data, they use a double extortion tactic that demands victims pay a ransom to restore the encrypted data. The hackers also threaten to release the data to the public if the ransom isn't paid.