# Alert (AA21-265A) **us-cert.cisa.gov/ncas/alerts/aa21-265a** ## Summary **_Immediate Actions You Can Take Now to Protect Against Conti Ransomware_** _• Use_ _[multifactor authentication.](https://us-cert.cisa.gov/ncas/tips/ST05-012)_ _• Segment and segregate networks and functions._ _• Update your operating system and software._ **_March 9, 2022: this joint CSA was updated to include indicators of compromise (see below)_** and the United States Secret Service as a co-author. **_Updated February 28, 2022:_** Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike (see below for details). While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, and NSA encourage organizations to review this advisory and apply the recommended mitigations. **_(end of update)_** The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment. To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multifactor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date. [Click here for a PDF version of this report.](https://us-cert.cisa.gov/sites/default/files/publications/AA21-265A-Conti_Ransomware_TLP_WHITE.pdf) [Click here for indicators of compromise (IOCs) in STIX format.](https://us-cert.cisa.gov/sites/default/files/publications/AA21-265A.stix.xml) **_Note: This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge_** _(ATT&CK®) framework, version 9. See the_ _[ATT&CK for Enterprise for all referenced threat](https://attack.mitre.org/versions/v9/techniques/enterprise/)_ _actor tactics and techniques_ ----- ## Technical Details While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack. [Conti actors often gain initial access [TA0001] to networks through:](https://attack.mitre.org/versions/v9/tactics/TA0001/) Spearphishing campaigns using tailored emails that contain malicious attachments [[T1566.001] or malicious links [T1566.002];](https://attack.mitre.org/versions/v9/techniques/T1566/001/) Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle [with the eventual goal of deploying Conti ransomware. [1],[2],[3]](https://attack.mitre.org/software/S0575/) [Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].[4]](https://attack.mitre.org/versions/v9/techniques/T1078/) Phone calls; Fake software promoted via search engine optimization; Other malware distribution networks (e.g., ZLoader); and Common vulnerabilities in external assets. [In the execution phase [TA0002], actors run a](https://attack.mitre.org/versions/v9/tactics/TA0002/) `getuid payload before using a more` aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for [and brute force [T1110] routers, cameras, and network-attached storage devices with web](https://attack.mitre.org/versions/v9/techniques/T1110/) [interfaces. Additionally, actors use Kerberos attacks [T1558.003] to attempt to get the Admin](https://attack.mitre.org/versions/v9/techniques/T1558/003/) hash to conduct brute force attacks. Conti actors are known to exploit legitimate remote monitoring and management software [and remote desktop software as backdoors to maintain persistence [TA0003] on victim](https://attack.mitre.org/versions/v9/tactics/TA0003/) [networks.[5] The actors use tools already available on the victim network—and, as needed,](https://ransomwaredaily.com/conti-ransomware-gang-playbook-mentions-msp-software-channele2e/) add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes [and clear-text credentials, which enable the actors to escalate privileges [TA0004] within a](https://attack.mitre.org/versions/v9/tactics/TA0004/) [domain and perform other post-exploitation and lateral movement tasks [TA0008]. In some](https://attack.mitre.org/versions/v9/tactics/TA0008/) cases, the actors also use TrickBot malware to carry out post-exploitation tasks. [According to a recently leaked threat actor “playbook,” [6] Conti actors also exploit](https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html) [vulnerabilities in unpatched assets, such as the following, to escalate privileges [TA0004]](https://attack.mitre.org/versions/v9/tactics/TA0004/) [and move laterally [TA0008] across a victim’s network:](https://attack.mitre.org/versions/v9/tactics/TA0008/) [2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities; [7]](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010) ["PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler [8]](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) service; and ----- Zerologon vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain [Controller systems.[9]](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472) Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server. ``` 162.244.80[.]235 85.93.88[.]165 185.141.63[.]120 82.118.21[.]1 ``` CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims. Conti actors often use the open-source Rclone command line program for data exfiltration [[TA0010]. After the actors steal and encrypt the victim's sensitive data [T1486], they employ](https://attack.mitre.org/versions/v9/tactics/TA0010/) a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid. ## Indicators of Compromise **_Updated March 9, 2022:_** The following domains have registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware. Many of these domains have been used in malicious operations; however, some may be abandoned or may share similar characteristics coincidentally. **Domains** ----- **Domains** badiwaw[.]com balacif[.]com barovur[.]com basisem[.]com bimafu[.]com bujoke[.]com buloxo[.]com bumoyez[.]com bupula[.]com cajeti[.]com cilomum[.]com codasal[.]com comecal[.]com dawasab[.]com derotin[.]com dihata[.]com dirupun[.]com dohigu[.]com dubacaj[.]com fecotis[.]com **(End of update)** fipoleb[.]com fofudir[.]com fulujam[.]com ganobaz[.]com gerepa[.]com gucunug[.]com guvafe[.]com hakakor[.]com hejalij[.]com hepide[.]com hesovaw[.]com hewecas[.]com hidusi[.]com hireja[.]com hoguyum[.]com jecubat[.]com jegufe[.]com joxinu[.]com kelowuh[.]com kidukes[.]com kipitep[.]com kirute[.]com kogasiv[.]com kozoheh[.]com kuxizi[.]com kuyeguh[.]com lipozi[.]com lujecuk[.]com masaxoc[.]com mebonux[.]com mihojip[.]com modasum[.]com moduwoj[.]com movufa[.]com nagahox[.]com nawusem[.]com nerapo[.]com newiro[.]com paxobuy[.]com pazovet[.]com pihafi[.]com pilagop[.]com pipipub[.]com pofifa[.]com radezig[.]com raferif[.]com ragojel[.]com rexagi[.]com rimurik[.]com rinutov[.]com rusoti[.]com sazoya[.]com sidevot[.]com solobiv[.]com sufebul[.]com suhuhow[.]com sujaxa[.]com tafobi[.]com tepiwo[.]com tifiru[.]com tiyuzub[.]com tubaho[.]com vafici[.]com vegubu[.]com vigave[.]com vipeced[.]com vizosi[.]com vojefe[.]com vonavu[.]com wezeriw[.]com wideri[.]com wudepen[.]com wuluxo[.]com wuvehus[.]com wuvici[.]com wuvidi[.]com xegogiv[.]com xekezix[.]com ## MITRE ATT&CK Techniques [Conti ransomware uses the ATT&CK techniques listed in table 1.](https://attack.mitre.org/software/S0575/) _Table 1: Conti ATT&CK techniques for enterprise_ **Initial Access** **Technique** **Title** **ID** **Use** Valid Accounts Phishing: Spearphishing Attachment Phishing: Spearphishing Link [T1078](https://attack.mitre.org/versions/v9/techniques/T1078/) Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials. [T1566.001](https://attack.mitre.org/versions/v8/techniques/T1566/001/) Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware. [T1566.002](https://attack.mitre.org/versions/v8/techniques/T1566/002) Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails. ----- **Execution** **Technique Title** **ID** **Use** Command and Scripting Interpreter: Windows Command Shell Native Application Programming Interface (API) **Persistence** **Technique** **Title** **ID** **Use** [T1059.003](https://attack.mitre.org/versions/v9/techniques/T1059/003/) Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files. [T1106](https://attack.mitre.org/versions/v9/techniques/T1106) Conti ransomware has used API calls during execution. Valid Accounts External Remote Services [T1078](https://attack.mitre.org/versions/v9/techniques/T1078/) Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials. [T1133](https://attack.mitre.org/versions/v9/techniques/T1133/) Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. **Privilege Escalation** **Technique Title** **ID** **Use** Process Injection: Dynamic-link Library Injection **Defense Evasion** [T1055.001](https://attack.mitre.org/versions/v9/techniques/T1055/001/) Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it. **Technique Title** **ID** **Use** Obfuscated Files or Information [T1027](https://attack.mitre.org/versions/v9/techniques/T1027) Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls. ----- **Technique Title** **ID** **Use** Process Injection: Dynamic-link Library Injection Deobfuscate/Decode Files or Information **Credential Access** [T1055.001](https://attack.mitre.org/versions/v9/techniques/T1055/001/) Conti ransomware has loaded an encrypted DLL into memory and then executes it. [T1140](https://attack.mitre.org/versions/v9/techniques/T1140) Conti ransomware has decrypted its payload using a hardcoded AES-256 key. **Technique** **Title** **ID** **Use** Brute Force [T1110](https://attack.mitre.org/versions/v9/techniques/T1110/) Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Steal or Forge Kerberos Tickets: Kerberoasting System Network Configuration Discovery System Network Connections Discovery Process Discovery File and Directory Discovery Network Share Discovery [T1558.003](https://attack.mitre.org/versions/v9/techniques/T1558/003/) Conti actors use Kerberos attacks to attempt to get the Admin hash. [T1016](https://attack.mitre.org/versions/v9/techniques/T1016) Conti ransomware can retrieve the ARP cache from the local system by using the `GetIpNetTable() API call and` check to ensure IP addresses it connects to are for local, non-internet systems. [T1049](https://attack.mitre.org/versions/v9/techniques/T1049/) Conti ransomware can enumerate routine network connections from a compromised host. [T1057](https://attack.mitre.org/versions/v9/techniques/T1057/) Conti ransomware can enumerate through all open processes to search for any that have the string `sql in` their process name. [T1083](https://attack.mitre.org/versions/v9/techniques/T1083) Conti ransomware can discover files on a local system. [T1135](https://attack.mitre.org/versions/v9/techniques/T1135/) Conti ransomware can enumerate remote open server message block (SMB) network shares using ``` NetShareEnum() . ``` **Lateral Movement** **Technique Title** **ID** **Use** ----- **Technique Title** **ID** **Use** Remote Services: SMB/Windows Admin Shares [T1021.002](https://attack.mitre.org/versions/v9/techniques/T1021/002/) Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network. Taint Shared Content [T1080](https://attack.mitre.org/versions/v9/techniques/T1080/) Conti ransomware can spread itself by infecting other remote machines via network shared drives. **Impact** **Technique** **Title** **ID** **Use** Data Encrypted for Impact Service Stop Inhibit System Recovery ## Mitigations [T1486](https://attack.mitre.org/versions/v9/techniques/T1486/) Conti ransomware can use `CreateIoCompletionPort(),` ``` PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding ``` those with the extensions of `.exe,` `.dll, and` `.lnk . It has used` a different AES-256 encryption key per file with a bundled RAS4096 public encryption key that is unique for each victim. Conti ransomware can use "Windows Restart Manager" to ensure files are unlocked and open for encryption. [T1489](https://attack.mitre.org/versions/v9/techniques/T1489/) Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop. [T1490](https://attack.mitre.org/versions/v9/techniques/T1490/) Conti ransomware can delete Windows Volume Shadow Copies using `vssadmin .` CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks. **Use multifactor authentication.** [Require multifactor authentication to remotely access networks from external sources.](https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/Multifactor_Authentication_Solutions_UOO17091520_V1.1%20-%20Copy.PDF) **Implement network segmentation and filter traffic.** Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. ----- Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users. Implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites. **Scan for vulnerabilities and keep software updated.** Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures. Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. **Remove unnecessary applications and apply controls.** Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise. Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software. Implement application allowlisting, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. [See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide—](https://us-cert.cisa.gov/ncas/alerts/AA18-284A) developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom—for guidance on detection and protection against malicious use of publicly available tools. **Implement endpoint and detection response tools.** Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors. **Limit access to resources over the network, especially by restricting RDP.** After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multifactor authentication. ----- **Secure user accounts.** Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties. Regularly audit logs to ensure new accounts are legitimate users. Review CISA’s [APTs Targeting IT Service Provider Customers guidance for additional](https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers) mitigations specific to IT Service Providers and their customers. **Use the Ransomware Response Checklist in case of infection.** If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend the following actions: **Follow the Ransomware Response Checklist on p. 11 of the** CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. **Scan your backups. If possible, scan your backup data with an antivirus program to** check that it is free of malware. **Report incidents immediately to CISA at** [https://us-cert.cisa.gov/report, a](https://us-cert.cisa.gov/report) local FBI Field Office, or [U.S. Secret Service Field Office.](http://www.secretservice.gov/contact/field-offices/) **Apply incident response best practices found in the joint Advisory,** Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. CISA, FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. ## Additional Resources The Digital Forensics, Incident Response (DFIR) Report: BazarLoader to Conti Ransomware in 32 Hours (September 2021): [https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/](https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/) NSA Cybersecurity Information Sheet: Transition to Multi-Factor Authentication (August 2019): https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multifactor%20Authentication%20-%20Copy.pdf NSA Cybersecurity Information Sheet: Segment Networks and Deploy ApplicationAware Defenses (September 2019): https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%2 0and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf ----- NSA Cybersecurity Information Sheet: Hardening Network Devices (August 2020): https://media.defense.gov/2020/Aug/18/2002479461/-1/-1/0/HARDENING_NETWORK _DEVICES.PDF **Free Cyber Hygiene Services** [CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify,](https://www.cisa.gov/cyber-hygiene-services) and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. **StopRansomware.gov** The [StopRansomware.gov webpage is an interagency resource that provides guidance on](https://www.cisa.gov/stopransomware) ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including: CISA and MS-ISAC: [Joint Ransomware Guide](https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf) CISA Insights: [Ransomware Outbreak](https://www.cisa.gov/blog/2019/08/21/cisa-insights-ransomware-outbreak-0) [CISA Webinar: Combating Ransomware](https://www.youtube.com/watch?v=D8kC07tu27A) **Rewards for Justice Reporting** The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical [infrastructure. See the RFJ website for more information and how to report information](https://rewardsforjustice.net/english/malicious_cyber_activity.html) securely. ## Contact Information To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/fieldoffices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov. When available, please include the following information regarding the](http://10.10.0.46/mailto:CyWatch@fbi.gov) incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov. For NSA client](http://10.10.0.46/mailto:CISAServiceDesk@cisa.dhs.gov) requirements or general cybersecurity inquiries, contact the NSA Cybersecurity [Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.](http://10.10.0.46/mailto:Cybersecurity_Requests@nsa.gov) ## References Revisions September 22 2021: Initial Version ----- September 23, 2021: Updated PDF with FBI Flash link in Summary February 28, 2022: Updated observed attack number March 9, 2022: Added Indicators of Compromise STIX file and Section [This product is provided subject to this Notification and this](https://us-cert.cisa.gov/privacy/notification) [Privacy & Use policy.](https://www.dhs.gov/privacy-policy) **Please share your thoughts.** [We recently updated our anonymous product survey; we'd welcome your feedback.](https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/alerts/aa21-265a) -----