CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

• Anvilogic Use Cases:
• RDP Brute-force Detection
• Kerberos RC4 Encrypted Tickets
• Common Reconnaissance Commands
• Windows Share Multiple File Access
• Service Stop Commands
• Inhibit System Recovery Commands