CISA, FBI and the NSA have released a joint advisory after a growing number of Conti ransomware attacks in the U.S. We’ve pulled highlights from the alert and covered what can be done to protect against Conti actors below.

Conti gains access to networks through:

  • Spearphishing
    • Mitigation: Educate staff, especially those will elevated access, on how to spot a phishing email and what they should do if they receive a suspicious email. Emphasize the importance of not opening attachments sent unless it’s from a trusted source. Regular training and phishing tests can help users learn what to be cautious of.
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
    • Mitigation: Implement strong password requirements in the environment, especially for those connecting remotely. Along with strong passwords or phrases, MFA should be required for all remote users.
  • Phone calls
    • Mitigation: Educate users to never give credentials over the phone.
  • Fake software promoted via search engine optimization
    • Mitigation: All software being added to an environment should be thoroughly vetted and meet a list of predetermined security requirements. Also, disabling user admin permissions as much as possible will ensure software isn’t downloaded without permission.
  • Malware distribution networks
    • Mitigation: Along with educating staff on suspicious attachments and requiring strong passwords, make sure all workstations have an anti-virus and anti-spam solutions that are being updated regularly.
  • Common vulnerabilities in external assets
    • Mitigation: Make sure you’re set up to receive email alerts and updates from vendors and organizations like CISA. The emails can be helpful in learning about new vulnerabilities, mitigation steps, and when patches/updates are available. Also, regularly updating systems will help ensure all vulnerabilities are patched.

Along with education efforts it’s important to have ways of testing users to see where there are gaps in security knowledge and diligence. The above guidance will help avoid initial access but there are more steps to take to protect your organization from these types of ransomware attacks. For the full advisory visit HERE.