IBM QRadar

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Sep 22 around the CONTI Ransomware Group, providing detailed information regarding its exploits and affiliates. Together with the Federal Bureau of Investigation (FBI), they have seen Conti ransomware in over 400 attacks targeted on international enterprises. A PDF version of the advisory which contains a technical breakdown on the ransomware group and the mitigation steps is available here.

While operating as a ransomware-as-a-service model, Conti provides a different compensation structure as compared to typical affiliate models. According to CISA, Conti has devised a new wage-paying scheme for deployers of the ransomware, instead of only receiving a fractional return of proceeds from a successful compromise.

While other RaaS models like LockBit2.0, BlackMatter and RansomEXX pay affiliates only when a breach is successful, Conti lowers the barriers for malicious insiders or disgruntled employees to launch ransomware. This greatly incentivises deviant behavior as potential insiders get paid at the onset, even if the attack is unsuccessful.


Analyzing Conti

(Conti Recovery Service Tor Site)

Conti actors use a wide range of tools and methods to gain initial access into organizations, including the use of targeted spear phishing campaigns via custom crafted emails that contain malicious attachments or links, that often contain embedded scripts that are used to download or drop other malware.
Other common methods of entry include stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, illegitimate software, other malware distribution networks and common vulnerabilities in external assets.

According to a leaked Conti ransomware playbook, Conti actors exploit vulnerabilities such as ‘PrintNightmare’ in unpatched assets to escalate privileges and move laterally across a victim’s network. Once the victim’s data has been stolen and encrypted, a double extortion technique is employed, demanding a ransom in exchange for the encrypted information. The victim is then threatened with the public release of the data should ransom be left unpaid.

(Conti ransom note)


Running the attack

IBM Security ReaQta reconstructs an entire breach within seconds of an infection, by providing the full details of attack behaviours and techniques used.

(ReaQta‘s Behavioural Tree showing the Conti ransomware)

Built with ransomware protection capabilities, ReaQta autonomously blocks ransomware once any ransomware behavior is exhibited to prevent any potential data encryption on the endpoint.

(Conti is automatically stopped by ReaQta within seconds)

ReaQta automatically stopped Conti within seconds, effectively mitigating the risks of any business interruptions and downtime. In addition to stopping the threat, ReaQta’s AI automations autonomously terminated all malicious processes and closed off the alert, reducing any extra actions required of the security team.

As ransomware attacks continue to grow to become one of the greatest security challenges for organizations globally, it is imperative that security leaders prioritize having mitigation plans ready so that swift action can be taken.


Mitigations

CISA recommends the following actions to reduce the risk of compromise by a Conti ransomware attack:

1. Ensure multi-factor authentication (MFA) is enabled across the organization.
2. Ensure network segmentation via the usage of demilitarized zones (DMZs) and network traffic management controls are in place to prevent ingress and egress communications with known malicious IP addresses. Implement strong spam filters and conduct regular user training programs to enforce proper cyber hygiene.
3. Ensure assets and software are routinely patched and updated.
4. Use application allowlisting, preventing employees from installing illegitimate applications or unauthorized software which contravenes organization’s security policy. Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email.
5. Implement endpoint and detection response tools. Endpoint detection and response (EDR) tools like ReaQta provide unparalleled visibility into the security status of endpoints and proactively secure organisations against malicious cyber actors.
6. Control access to resources over the network, i.e restricting RDP.
7. Ensure user accounts are properly configured for the right access controls and privilege rights and check logs to ensure account holders are legitimate users.

To learn about what makes IBM Security ReaQta unique and how organizations can stay safe against unknown threats like ransomware, read more here and apply for a demonstration.