Defending Against Conti Ransomware: Zero Trust Segmentation
Recent cyber-attacks against Ukraine’s infrastructure, including evidence of destructive malware like WhisperGate and HermeticWiper, and the Russian invasion has drawn considerable attention from the cybersecurity community.
IT Governance UK recorded 83 data breaches and 5,127,241 cyberattacks In February 2022, which shows that infrastructural security around the globe is on the brink of something big. Certain ransomware gangs, such as the Conti Ransomware Group, have also received greater public attention. Conti is now in the limelight due to recently released information detailing the group’s inner workings, including its common tactics, strategies, and processes (TSPs).
Conti is a sophisticated ransomware-as-a-service (RaaS) organization that was discovered in December 2019. Its business model is to encourage cybercriminals to subscribe to its RaaS to gain access to pre-developed ransomware tools they can use to carry out attacks in exchange for a share of all successful ransom payments. Conti’s popularity among the criminal underclass has expanded dramatically since its launch, displacing existing RaaS solutions such as Ryuk. According to a joint advisory report by CISA and the FBI, Conti RaaS is involved in more than 400 cyberattacks globally. In April, the group conducted a ransomware attack against the government of Costa Rica. The US government reports that the attack brought significant havoc on the country’s international trade by disrupting its customs and tax infrastructure. The US State Department is offering $15 million in rewards for more information about Conti’s leaders, operators, and affiliates.
Spear phishing and RDP (Remote Desktop Protocol) services provide cyber criminals with the most accessible and most popular early infection vectors. Phishing emails include malicious attachments such as Word documents with embedded macros that may be used to drop/download trojans like BazarLoader, Trickbot, and IceID, or attack methods to induce the victim to disclose more information or access credentials. After gaining access, the attackers download and run the Cobalt Strike beacon DLL to collect information on domain administration accounts. Threat actors also use Kerberos exploits to obtain the admin hash to launch brute force attacks.
Security researchers have been working on the attacks’ methods and techniques since one of the Conti affiliates revealed the playbook
Research of the leaked documents revealed that the cracked 4.3 version of Cobalt Strike red-teaming framework was among the top tools used for attacks. Conti actors also exploit vulnerabilities in unpatched assets to escalate privileges and transit laterally throughout a victim’s network. They scan for the “PrintNightmare” vulnerability (CVE-2021–34527) in the Windows Print spooler service, the EternalBlue vulnerability (CVE-2017–0144) in the Microsoft Windows Server Message Block, and the “Zerologon” vulnerability (CVE-2020–1472) in the Microsoft Active Directory Domain Controller.
Conti actors also use the RouterScan tool to find router devices within a certain IP range and try to find logins/passwords from standard lists provided by the utility. To keep the communication channel open, bad actors install AnyDesk or Atera on the target system. Conti attackers, like other ransomware attacks, retrieve data from victims’ networks and store it on MEGA and other cloud-storage platforms before deploying Conti ransomware. Conti uses the open-source Rclone command-line tool to transfer data to cloud storage. The criminals monetize their actions by employing a double extortion strategy: demanding a ransom and threatening to publicly reveal the encrypted material if the ransom is not paid. The data might even be sold to the highest bidder.
Indicator of Compromise
After analysis CISA has provided the list of domains used by Conti Ransomware to launch malicious operations. Some may be abandoned or may share similar characteristics coincidentally.
Recommendations
A destructive ransomware attack has far-reaching implications that go well beyond the enterprise whose systems become compromised. Attacks are harmful to all users who rely on the products and services offered by the organization that has been taken down. It is unreasonable for businesses to expect preventive measures to block all threats. Ransomware can be detected early by threat monitoring that uncovers intrusion attempts, data exfiltration efforts, and abnormal communication. Zero Trust Network Segmentation offers organizations around the world a fighting chance to isolate, prevent, minimize, and recover from ransomware attacks. Adopting a Zero Trust architecture offers business resonance, specifies the business rules and responses, and provides a framework for establishing a segmented network. Implementation of multi-factor authentication can reduce the risk of compromise via Conti and other ransomware attacks. Airgap’s agentless Secure Asset Access solution provides time-based application access for remote workers and campus workers with zero trust workload isolation for devices anywhere.
In addition, the implementation of zero trust segmentation also creates the “network of one” as Airgap is the first hop of all packets and is able to enforce zero trust security to minimize unregulated communications between systems. Enterprises and the public sector must adopt a proactive security approach to zero trust where segmentation provides network visibility, control, and constant monitoring. Airgap Zero Trust Segmentation analyzes every IP address associated with IoT, IOMT, IIOT, and OT critical infrastructure. The Airgap Zero Trust Isolation™ platform provides the centralized cloud-delivered autonomous policy framework and actionable Ransomware Kill Switch™ in the case of an attack on IT, IoT, and OT infrastructure.
For more information on how Airgap can help defend against distributed RaaS attacks, schedule the patented and industry’s first Ransomware Kill Switch™ demo today.
