Conti Ransomware Attacks and RMM Software: CISA, FBI Warning Details
Conti ransomware has been used in more than 400 attacks vs. U.S. and international organizations, according to a warning from the FBI and CISA (Cybersecurity and Infrastructure Security Agency).
Moreover, some of the Conti ransomware attacks exploit legitimate remote monitoring and management (RMM) and remote desktop software as backdoors to maintain persistence on victim networks, the warning states.
That’s a particularly troubling news for MSPs and MSSPs, thousands of which depend heavily on RMM and remote desktop software to remotely manage and troubleshoot end-customer systems.
Concerns about Conti ransomware threat actors leveraging legitimate RMM software have swirled since at least August 2021 — when a leaked Conti ransomware playbook that mentioned RMM software surfaced on the Internet.
How MSPs and MSSPs Can Prevent Conti Ransomware Attacks
To mitigate the risk of Conti ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
- require multi-factor authentication (MFA);
- implement network segmentation;
- scan for vulnerabilities and keep software updated;
- remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
- implement endpoint and detection response tools;
- limit access to resources over the network, especially by restricting RDP; and
- secure user accounts.
In terms of endpoint security, multiple software companies proclaim that their endpoint protection tools prevent Conti ransomware attacks. Examples include this BlackBerry statement from May 2021.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.