Web Analytics
Skip to main content
26 January, 2022
26 January, 2022

Conti Ransomware Sources Blocked by AEGIS

According to CISA (Cybersecurity & Infrastructure Security Agency), Conti Ransomware use increased in 2021, with more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

Read full report: https://www.cisa.gov/news-events/alerts/2021/09/22/conti-ransomware

Conti actors often gain initial access [TA0001] to networks through:

  • Spearphishing campaigns using tailored emails that contain malicious attachments [T1566.001] or malicious links [T1566.002];
    • Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware. [1],[2],[3]
  • Stolen or weak Remote Desktop Protocol (RDP) credentials [T1078].[4]
  • Phone calls;
  • Fake software promoted via search engine optimization;
  • Other malware distribution networks (e.g., ZLoader); and
  • Common vulnerabilities in external assets.

According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges  and move laterally across a victim’s network:

  • 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities;
  • "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service; and
  • "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems.

Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.

162.244.80[.]235
85.93.88[.]165
185.141.63[.]120
82.118.21[.]1

CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims.

Aegis Defender Pro has blocked these IPs and their entire networks for years, as well as spam email servers used by these cyber-criminals. With over 2 billion IP addresses in the Aegis Defender Pro firewall lists, it is very rare these phishing schemes even get through email servers running Aegis Defender Pro.

If a phishing call is received, users will find that they can't load cited websites, and infected computers from outside media such as USB sticks won't be able to communicate with the servers they're programmed to, effectively containing them for detection and elimination.