Conti Ransomware Operation Buffing, FBI Issues Urgent Warning

• Conti is growing bigger and more dangerous, and the FBI is warning about its rise while giving some IoC.
• The actors are using a range of tools and techniques, including laced Word documents and stolen RDP credentials.
• Conti has caused great trouble in the healthcare sector of multiple countries, so they have no ethical barriers.

Following the Colonial Pipeline hack that forced several RaaS (ransomware as a service) to go silent or private, we see at least one group reaping the benefits of this seizure and welcoming fresh “partners.” While we don’t have concrete evidence for this, it is becoming clear from the numbers that we see - as Conti infections are on the rise, the targeting scope is getting wider, and the impact of the group is now undeniable.

The FBI has released an advisory to warn about Conti’s operations, claiming that the group has already compromised 16 healthcare organizations in the United States and another 290 entities since the beginning of its operations. There are first responder system operators, emergency medical services providers, 911 dispatch centers, and even law enforcement agencies in these organizations. The amount of ransom demanded from each of them varies, but it has been as high as $25 million in some cases.

As the FBI details, Conti actors typically gain access to target networks by using stolen Remote Desktop Protocol (RDP) credentials or by sending laced emails carrying malicious attachments or URLs in the message body. The attachments usually have PowerShell scripts that drop Cobalt Strike, then Emotet, and then the ransomware payload itself.

Conti’s hackers scan the victim’s network for at least a couple of days and up to three weeks, exfiltrating every piece of valuable data before they finally encrypt everything. During this stage, they deploy Sysinternals and Mimikatz, which help them escalate privileges and move laterally in the network, accessing sensitive data that would be useful for the extortion process.

The FBI says that a solid indicator of Conti’s presence in the network is the beaconing through ports 80, 443, 8080, and 8443, while port 53 is used for persistence. The actors use cloud services like MegaNZ to perform large data transfers, so this is another indication. And finally, if you notice the sudden appearance of new accounts or the inexplicable disabling of endpoint detection solutions, you should investigate deeper.

Conti's most recent notable attacks include one against the Irish Health Services, the Indian telecom cable manufacturer ‘Finolex,’ and the Waikato District Health Board in New Zealand. By using KELA's powerful cyber-intelligence tools, we were able to determine that Conti and Avaddon have the lion’s share in public activity right now, dwarfing all other “open” RaaS by far.