The US Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning the increased use of Conti ransomware. The agencies said they observed more than 400 attacks on U.S. and international organizations involving Conti ransomware.

In the advisory CISA noted that while Conti operates as a ransomware-as-a-service (RaaS) model it slightly differs from other RaaS models. Instead of taking a cut from ransomware payouts Conti developers pay the deployers of the ransomware a wage.

The Conti ransomware gang typically uses a variety of methods and tools to infiltrate systems, including spearphishing campaigns, remote monitoring and management software and remote desktop software, as well as common vulnerabilities in external assets like the “PrintNightmare” vulnerability (CVE-2021-34527) in Windows Print spooler service and “Zerologon” vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.

The spearphishing campaigns seen by CISA used tailored emails that contain malicious attachments or links. The group also uses malicious Microsoft Word attachments to deploy additional malware, such as TrickBot and IcedID, and/or Cobalt Strike.

“Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks,” CISA said.

To prevent future Conti ransomware attacks the three agencies recommend the following:

• Use multi-factor authentication.

• Implement network segmentation and filter traffic.

• Scan for vulnerabilities and keep software updated.

• Remove unnecessary applications and apply controls.

• Implement endpoint and detection response tools

.