Mitigations

CISA, FBI, and NSA recommend that network defenders apply the following mitigations
to reduce the risk of compromise by Conti ransomware attacks.Use multifactor
authentication.,Implement network segmentation and filter traffic.,Scan for vulnerabilities and
keep software updated.,Remove unnecessary applications and apply controls.,Implement
endpoint and detection response tools.,Limit access to resources over the network, especially
by restricting RDP.,Secure user accounts.,Use the Ransomware Response Checklist in case of
infection.
If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend
the following actions:

 Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State

Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
 Scan your backups. If possible, scan your backup data with an antivirus program to
check that it is free of malware.
 Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI
Field Office, or U.S. Secret Service Field Office. 
 Apply incident response best practices found in the joint Advisory, Technical
Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and
the cybersecurity authorities of Australia, Canada, New Zealand, and the United
Kingdom.

CISA, FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a
ransom may embolden adversaries to target additional organizations, encourage other
criminal actors to engage in the distribution of ransomware, and/or may fund illicit
activities. Paying the ransom also does not guarantee that a victim’s files will be
recovered.

Additional Resources
 The Digital Forensics, Incident Response (DFIR) Report: BazarLoader to Conti
Ransomware in 32 Hours (September
2021): https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-
hours/
 NSA Cybersecurity Information Sheet: Transition to Multi-Factor Authentication (August
2019): 
https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-
factor%20Authentication%20-%20Copy.pdf
 NSA Cybersecurity Information Sheet: Segment Networks and Deploy Application-
Aware Defenses (September 2019):
https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks
%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
 NSA Cybersecurity Information Sheet: Hardening Network Devices (August 2020): 
https://media.defense.gov/2020/Aug/18/2002479461/-1/-1/0/HARDENING_NETWORK_
DEVICES.PDF
Free Cyber Hygiene Services
CISA offers a range of no-cost cyber hygiene services to help organizations assess,
identify, and reduce their exposure to threats, including ransomware. By requesting
these services, organizations of any size could find ways to reduce their risk and
mitigate attack vectors.
StopRansomware.gov 
The StopRansomware.gov webpage is an interagency resource that provides guidance
on ransomware protection, detection, and response. This includes ransomware alerts,
reports, and resources from CISA and other federal partners, including:

 CISA and MS-ISAC: Joint Ransomware Guide

 CISA Insights: Ransomware Outbreak
 CISA Webinar: Combating Ransomware

Rewards for Justice Reporting

The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of
up to $10 million for reports of foreign government malicious activity against U.S. critical
infrastructure. See the RFJ website for more information and how to report information
securely

Mitigating AvosLocker

 Maintain multiple copies of sensitive or proprietary data and servers in

physically separate, segmented and secure locations (hard drive,
storage device, the cloud).Implement network segmentation and
maintain offline, password-protected data backups. This ensures limited
disruption in case of an attack.Keep copies of critical data separate from
the system where the data resides.Install and update antivirus software
on all hosts and enable real-time detection.Install updates and patches
to operating systems, software and firmware in a timely manner and
stay up to date about new updates and patches.Review domain
controllers, servers, workstations, and active directories for new or
unknown user accounts.Audit and configure user accounts with least
privilege in mind. Limit admin privilege only to those who need it and
only for as long as they need it.Disable unused ports.Consider adding
an email banner to emails received from outside your group.Disable all
 hyperlinks in received emails.Use multi-factor authentication where
possible.Use strong passwords, change passwords often and do not
reuse passwords to network systems and accounts.Require admin
credentials to install software.Only use secure networks and avoid using
public Wi-Fi networks. Consider installing and using a virtual private
network.Focus on awareness and training about ransomware and
phishing scams.

1. I don’t store important data only on my PC.2. I have 2 backups of my data: on an

external hard drive and in the cloud – Dropbox/Google Drive/etc.3. The
Dropbox/Google Drive/OneDrive/etc. application on my computer are not turned
on by default. I only open them once a day, to sync my data, and close them once
this is done.4. My operating system and the software I use is up to date, including
the latest security updates.5. For daily use, I don’t use an administrator account on
my computer. I use a guest account with limited privileges.6. I have turned off
macros in the Microsoft Office suite – Word, Excel, PowerPoint, etc.In the browser7.
I have removed the following plugins from my browsers: Adobe Flash, Adobe
Reader, Java and Silverlight. If I absolutely have to use them, I set the browser to ask
me if I want to activate these plugins when needed.8. I have adjusted my browsers’
security and privacy settings for increased protection.9. I have removed outdated
plugins and add-ons from my browsers. I only kept the ones I use on a daily basis
and I keep them updated to the latest version.10. I use an ad blocker to avoid the
threat of potentially malicious ads.