Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 275: UNDERSTANDING THE RISK OF CONTI RANSOMWARE
Reference Number ACG-CSB 112222275
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Conti Ransomware first appeared in May of 2020. This strain of ransomware differs from others in the speed with which it can encrypt files and spread to different systems. Conti ransomware also employs a "double-extortion" technique, in which the attackers not only encrypt the victims' data and demand payment, but also make copies of the victims' data, which they will expose or sell if the victim refuses to pay.
Conti Ransomware attackers will employ a number of techniques to get their "foot in the door." They will frequently begin by attempting to dupe an employee into handing over credentials, usually using some form of social engineering technique. In some cases, they will attempt to gain network access by exploiting vulnerable firewalls or targeting any internet-facing Remote Desktop Protocol (RDP) servers.
The attacker will often try to log into a domain administrator account after acquiring network access so they can run the ransomware code. Additionally, they will try to log into any privileged accounts that could provide them access to confidential data (including backups). In other instances, they might try to disable security management software so they can pass via the network covertly.
In order to develop an attack strategy, the Conti ransomware attackers typically search your network for servers, endpoints, backups, sensitive data, applications, and security software. They will use well-known port scanners, such "Angry IP Scanner" or "Advanced Port Scanner," to provide a list of IP addresses. They will also construct a list of server names, which they will then look through for hints about their intentions. For illustration, a server named DC1 is probably a domain controller.
Attackers will try to set up backdoors so they may take their time and return to the network to install further tools and conduct additional reconnaissance. They will be able to monitor network traffic and upload data to their Command & Control (C&C) servers, which will also help them figure out what the victim is doing to recover from the attack. They frequently set up Tor proxies to help them hide their communication with the C&C server and utilize applications like Any Desk and Cobalt Strike to help them with remote access and management.
Before running the ransomware code, the attackers will attempt to steal as much business-critical data as they can. Tools for data discovery are frequently used by attackers to find sensitive data. As you may expect, there are several ways for an attacker to access data. The files can be sent by email, uploaded to one or more anonymous cloud storage containers, or to their own server.
All PNP personnel as well as the public are advised to follow these tips to understand the risk of Conti Ransomware:
- Ensure that you are not already infected;
- Monitor your network 24/7;
- Restrict access rights and remote desktop protocol;
- Backups and patch management;
- Security awareness training;
- Make sure that you have the ability to automatically detect and respond to events that match a pre-defined threshold condition;
- Make sure that you have a tried and tested incident response plan(IRP) in place to help you respond to ransomware attacks in a fast and efficient manner.
For additional information, please refer to the following websites:
POINT OF CONTACT