- Security News
- Ransomware Spotlight
- Ransomware Spotlight: Conti
Conti attacks have been detected all over the globe, with the US amassing over a million attack attempts from January 1 to November 12, 2021. The Netherlands and Taiwan ranked second and third respectively.
Figure 1. Countries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
The retail industry saw the most Conti attack attempts, followed by insurance, manufacturing, and telecommunications. Healthcare, which Conti operators targeted in high-profile attacks this year, is sixth on the list.
Figure 2. Industries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure
Initial Access | Execution | Persistence | Privilege Escalation | Credential Access | Lateral Movement | Defense Evasion | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|
T1566 - Phishing T1190 - Exploit public-facing application | T1106 - Execution through API T1059.003 - Command and scripting interpreter: Windows command shell T1047 - Windows Management Instrumentation T1204 - User execution T1053.005 - Scheduled task/job: scheduled task | T1053.005 - Scheduled task/job: Scheduled task | T1078.002 - Valid accounts: domain accounts T1083 - File and directory discovery T1018 - Remote system discovery T1057 - Process discovery T1016 - System network configuration discovery T1069.002 - Permission groups discovery: domain groups T1082 - System information discovery T1033 - System owner/user discovery T1012 - Query registry T1063 - Security software discovery | T1003 - OS credential dumping T1555 - Credentials from password stores T1552 - Unsecured credentials | T1570 - Lateral tool transfer T1021.002 - Remote services: SMB/Windows admin shares | T1562.001 - Impair defenses: disable or modify tools T1140 - Deobfuscate/Decode files or information T1055 - Process injection | T1071 - Application Layer Protocol T1219 - Remote access software | T1567.002 - Exfiltration over web service: exfiltration to cloud storage | T1486 - Data encrypted for impact T1489 - Service stop T1490 - Inhibit system recovery |
Security teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti attacks:
Initial Entry | Execution | Discovery | Privilege Escalation | Credential Access | Lateral Movement | Defense Evasion | Exfiltration | Command and Control |
---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
To help defend systems against similar threats, organizations can establish security frameworks, which can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
The IOCs for this article can be found here.
Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.