The US Cybersecurity and Infrastructure Security Agency (CISA) has updated the Conti ransomware alert with Indicators of Compromise (IoCs) consisting of nearly 100 domain names used in malicious operations.
Originally published September 22, 2021, the advisory includes details observed by CISA and the Federal Bureau of Investigation (FBI) in Conti ransomware attacks targeting organizations in the United States. The updated cybersecurity advisory contains US Secret Service data.
Conti IoC Domains
Internal details of the Conti ransomware operation began leaking in late February after the gang publicly announced it was siding with Russia over the invasion of Ukraine.
The leak comes from a Ukrainian researcher, who initially posted private messages exchanged by gang members, then released source code for ransomware, administrative panels, and other tools.
The data cache also included domains used for compromises with BazarBackdoor, the malware used for initial access to high-value target networks.
According to CISA, the threat actor Conti has impacted more than 1,000 organizations worldwide, with the most prevalent attack vectors being the TrickBot malware and Cobalt Strike beacons.
The agency today released a batch of 98 domain names that share “similar registration and naming characteristics” to those used in Conti ransomware attacks by groups distributing the malware.
the agency notes that although the domains have been used in malicious operations, some of them “may be dropped or may coincidentally share similar characteristics”.
The above list of domains associated with Conti ransomware attacks appears to be different from the hundreds the Ukrainian researcher disclosed from BazarBackdoor infections.
Despite the unwanted attention Conti has recently received due to the exposure of his in-house cats and tools, the gang hasn’t curbed his activity.
Since early March, Conti has listed more than two dozen victims on his website in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia and Saudi Arabia.