What has happened:
It has been reported that the Conti ransomware group has encrypted a number of the HSE’s file servers and databases. It is also reported that they may have downloaded over 700GB of personally identifiable information (PII) that may include:
- The addresses and phone numbers of patients, doctors and nurses
- Payroll information
- Employment contracts.
The Conti ransomware group has supposedly demanded a ransom of circa $20 million.
Who are / what is Conti:
Conti is a human-led (required human interaction) ransomware that encrypts data and spreads across a target system at high speed.
The Conti ransomware leverages a private Ransomware-as-a-Service operation believed to be headed by a Russian-based cybercrime group known as Wizard Spider. It looks to share a similar code base with the Ryuk Ransomware, which terrorised multiple healthcare and life sciences organisation recently.
Conti is also what is known as a double extortion variant which steals and exposes information as well as encrypting it. At least 180 victims have been impacted from Conti globally so far.
What do I need to know:
- The attackers will most likely be on your network for days or even weeks.
- The attackers could use a variety of different methods to break in your network.
- They will have secured access to domain admin accounts as well as other user accounts.
- They will have scanned your network. They know how many servers and endpoints you have and where you keep your backups, business-critical data and applications.
- The attackers are likely to have downloaded and installed backdoors that allow them to come and go on your network and install additional tools.
- In addition to the encryption of data and disruption to software and operations, Conti operators will try to exfiltrate hundreds of gigabytes of corporate data prior to the main ransomware event.
- They will have tried to encrypt, delete, reset, or uninstall your backups.
- The attackers will have tried to identify what security solution is used on the network and whether they can disable it.
- The most visible part of the attack – the release of ransomware – probably took place when no IT admins or security professionals were online to notice and prevent the lengthy process of file encryption, possibly during the middle of the night or during the weekend.
- The ransomware will have been deployed to all your endpoints and any servers that were online at the time of attack – providing that is what the attacker wanted.
- The launch of the ransomware is not the end.
- The time spent in your network will likely have allowed the attackers to steal business critical, sensitive, and confidential information that they now threaten to publicly expose.
How can Kontex help:
The first thing to note is that there is no silver bullet approach to protecting an organisation. There are no playbooks that can make this process fool-proof and this should not be treated as an academic exercise. Regardless of what is being sold to you by consulting firms, doing the simple things right will put you on the right path to better protection:
- Educate employees on what to look out for in terms of phishing and malicious spam. Introduce robust security policies.
- Patch your systems and either stop using legacy systems or isolate them use micro segmentation or other approaches.
- Shut down internet-facing remote desktop protocol (RDP) to deny access to networks. Enforce the use of Multi-Factor Authentication (MFA) at all times.
- The IOCs are available for the common variants of Conti. Monitor your network and endpoint 24/7 and look for these indicators.
- Keep regular back-ups and ensure they are immutable; and
- Have an incident response plan ready and practice running through it.