Sophos researchers have in a three-part series of articles, unveiled what happens when attackers break into an organisation’s network with the intention of stealing data and launching a Conti ransomware attack.
Conti ransomware, a human-operated “double extortion” attack allows for the theft of data from a targeted group(s) before encrypting it and then threaten to expose the stolen information on the “Conti News” site if the organisation doesn’t pay the ransom.
Sophos’ 24/7 incident response team, Sophos Rapid Response, was called in to contain, neutralize and investigate the incident, which unfolded over five days from the initial compromise to the recovery of work operations. The series of articles from Sophos reconstructs the attack as it happened day-by-day and provides technical information on Conti’s attack behaviour as well as advice for defenders.
The three-part series, The Realities of Conti Ransomware, includes:
• A Conti Ransomware Attack Day-By-Day – Analysis of a Conti attack, including Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs)
• Conti Ransomware: Evasive By Nature – A technical overview by SophosLabs researchers
• What to Expect When You’ve Been Hit with Conti Ransomware – An essential guide for IT admins facing the impact of a Conti attack, with advice on what to do immediately and a 12-point checklist to help investigate the attack. The checklist walks IT admins through everything the Conti attackers could do while on the network and the main TTPs they are likely to use. The article includes recommendations for action.
“In attacks where humans are at the controls, adversaries can adapt and react to changing situations in real-time,” said Peter Mackenzie, manager, Sophos Rapid Response. “In this case, the attackers had simultaneously gained access to two servers, so when the target detected and disabled one of these – and believed they’d stopped the attack in time – the attackers simply switched and continued their attack using the second server. Having a ‘Plan B’ is a common approach for human-led attacks and a reminder that just because some suspicious activity on the network has stopped, it doesn’t mean the attack is over.”
The Conti News site has published data stolen from at least 180 victims to date. Sophos has created a victimology profile based on the data published on Conti News (covering around 150 organisations whose data had been published at the time of analysis).
“In companies without access to a designated IT security team, it’s often IT admins who are in the direct line of fire for a ransomware attack,” said Mackenzie. “They’re the ones who come into work one morning to find everything locked and a threatening ransom note on the screen, sometimes followed by threatening emails and even phone calls. Based on our first-hand threat hunting experiences, we’ve developed an action list that will help IT, admins, through the deeply challenging and stressful first few hours and days after a Conti ransomware attack, understand where they can get help, and lay the foundations for a more secure future.”
Immediate Advice for Defenders
• Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks
• If you need access to RDP, put it behind a VPN connection
• Use layered security to prevent, protect and detect cyberattacks, including endpoint detection and response (EDR) capabilities and managed response teams who watch networks 24/7
• Be aware of the five early indicators an attacker is present to stop ransomware attacks
• Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats, or to respond to emergency incidents, consider turning to external experts for help