Five things to know:
- During most Conti ransomware attacks, hackers steal files, encrypt servers and demand a ransom payment, according to a news release. Conti actors usually gain access to the network through spear phishing campaigns, stolen desktop credentials, phone calls and fake software promoted on search engines.
- CISA and the FBI examined a leaked playbook, which showed Conti hackers exploit vulnerabilities in unpatched assets to access a victim’s network. Commonly used vulnerabilities include Windows’ “PrintNightmare”, 2017 Microsoft server message block and “Zerologon” used in Microsoft’s directory domain.
- Conti ransomware can stop up to 146 Windows services related to backup, security, database and email solutions by using net stop. Conti ransomware can delete Windows Volume Shadow Copies.
- Conti ransomware can spread itself by infecting other remote machines through shared drives on the network.
- After the hackers steal and encrypt data, they use a double extortion tactic that demands victims pay a ransom to restore the encrypted data. The hackers also threaten to release the data to the public if the ransom isn’t paid.
