Proofpoint cybersecurity experts: Groups from India, Russia and China exploit this technique. The files have low detection rate by public antivirus.
The FBI: Conti attacks healthcare and first responder networks. The ransomware hit at least 16 specific targets. The malware steals victims’ files and encrypts the servers to force a ransom payment
The Conti ransomware group has been linked to at least 16 attacks aimed at disrupting healthcare and first responder networks in the United States. It has been announced by the FBI cybersecurity experts. In the last flash advisory, the cybercrime gang has been connected to at least 400 cyber attacks against organizations worldwide, and 290 are based in the US. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.
How the ransomware infection works
According the cybersecurity experts, Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. The ransomware weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware. Cybercrime actors are observed inside the victim network between four days and three weeks on average before deploying the malware, primarily using dynamic-link libraries (DLLs) for delivery. The actors first use tools already available on the network, and then add tools as needed, such as Windows Sysinternals1 and Mimikatz to escalate privileges and move laterally through the network before exfiltrating and encrypting data2. In some cases where additional resources are needed, the actors also use Trickbot3. Once Conti actors deploy the ransomware, they may stay in the network and beacon out using Anchor DNS.