The Department of Homeland Security’s cybersecurity agency, the FBI and National Security Agency urged organizations in an alert Wednesday to update their systems amid an increase in Conti ransomware attacks.
DHS’ Cybersecurity and Infrastructure Security Agency and the FBI reported over 400 attacks using Conti ransomware against mostly U.S. targets between spring 2020 and spring 2021. The group primarily runs “double extortion” campaigns in which hackers encrypt and steal files. In the scheme, they demand a ransom from the victim in order to restore access to the systems; if the victim doesn’t pay, the actors threaten to leak the stolen data.
At least 16 of the 400 reported attacks targeted U.S. health care providers and first responder networks, the FBI reported in May.
The Conti ransomware gang has already been linked to several major attacks this year. In June the gang stole roughly 18,000 files from the Tulsa police, leaking some after the city refused to pay. Conti ransomware also caused a weeks-long disruption to Ireland’s public health system earlier this year.
“Americans are routinely experiencing real-world consequences of the ransomware epidemic as malicious cyber actors continue to target large and small businesses, organizations, and governments,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity.
The cybercriminals behind the recent uptick in attacks have historically gone after critical infrastructure, including the defense industry, Rob Joyce, director of cybersecurity at NSA, warned in the advisory.
The alert comes as U.S. cybersecurity officials face a growing crisis of ransomware attacks that have shut down schools, hospitals, businesses and local governments as well as industries critical to U.S. infrastructure. Just earlier this week, hacking group BlackMatter attacked Iowa grain business New Cooperative, sparking concern of supply chain disruptions in the agriculture industry. The company has been engaging with CISA and FBI in recovery efforts, according to a separate statement from CISA earlier Wednesday.
Wednesday’s Conti alert also breaks down the operation’s techniques and structure.
“Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model,” the Wednesday alert explains. “It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack.”
Conti often gains initial access to systems through spearphishing campaigns or malicious downloads posing as real software. It then uses that access to scan for credentials to get higher privileges. A Conti playbook leaked by a disgruntled affiliate earlier this month showed that the group has targeted multiple Microsoft vulnerabilities as access points.
Mitigation steps for organizations include updating operating systems and requiring multi-factor authentication, according to the alert.
Updated 9/23/2021: Updated with the timeframe during which the 400 Conti attacks occurred.