Since the recent cyber-attack on the HSE, many businesses have expressed their concerns around Conti malware, asking what it is and why it’s a particularly vicious type of ransomware.
In this feature, we explain what it is, how it’s delivered and what you can do about it.
What is the Conti crypto virus?
Conti ransomware appeared on the threat landscape in May 2020 and has undergone rapid development since its discovery. It is particularly renowned for the speed at which is encrypts and deploys across a target system.
Conti malware is a human-operated ‘double extortion’ ransomware. This means it looks to both steal information as well as encrypt your files and systems, with the threat of both denying you access to your own data and also potentially publishing it or selling it.
How is Conti malware delivered?
The Conti malware, like other types of ransomware, can be delivered via various methods including:
- Spam and phishing emails
- Malicious websites — Some websites can host malware and phish for personal or sensitive information. This method often requires user interaction, such as clicking on fake ads or social media links and entering information via fake login fields.
- Malicious applications and plug-ins — Malware authors often bundle their viruses with software shared through third-party websites.
Who is at risk?
Anyone with a computer connected to the internet who has important data stored on their computer or network is at risk.
How do you know you have been hit by ransomware?
Many businesses are not aware that they have been hit by ransomware until it is too late. In some scenarios, a user may have clicked on a link and nothing appears to have gone wrong – which is another reason why early detection is so key.
The first signs for a user will often be when they try to access their files and find that they are not accessible and there are files named YOUR_FILES_ARE_ENCRYPTED.html in each of their folders.
But this depends on the attack and when it is first discovered. Read more about how having the correct response mechanisms in place can help to stop ransomware in its tracks.
What do I do if I think I have been hit by ransomware?
Isolate the attack
When it comes to responding to a ransomware attack, time is key. This means, as soon as you think you have been hit by ransomware, you need to isolate the virus before it can spread any further.
This means disconnecting all affected systems:
- Unplug the computer(s) from the network.
- Turn off any wireless functionality e.g. WiFi, Bluetooth etc.
The next steps would be to determine the scope of the infection and check for encryption and data loss signs on:
- Mapped or shared drives.
- Mapped or shared folders from other computers.
- Network storage devices of any kind.
- External Hard Drives.
- USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
- Cloud-based storage e.g. OneDrive
- Check logs and DLP software for signs of data leaks.
You may also want to look for unexpected large archival files (e.g. zip, arc) containing confidential data that could have been used as staging files, and we would recommend to check for malware, tools and scripts which could have been used to look for and copy data.
For every business, it is not a case of ‘if’ you will face a security breach but ‘when’ and for many businesses, ransomware is the most likely threat.
This means your business should adopt the best possible security posture to enable recovery following an attack.
In summary, the key elements in being able to effectively respond to a cyber-attack, like Conti, include:
- Educating your employees on what to look out for in terms of phishing emails from corporate-looking email accounts, suspicious file attachments and suspicious links to external URLs.
- Keep regular, immutable backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method:
3 copies of the data, using 2 different systems, 1 of which is offline.
- Privileged Account management – it is best practice to employ a policy of Zero Trust. This means users only have access to the systems that they need to do their work. Domain or local administrator permission must be strictly restricted to system administrators only. It is also advisory to block or strictly limit necessary internet access to production, non-production servers and administrative accounts.
- Multi-Factor Authentication plays a major role in preventing attackers from getting access to and disabling your security. As with all systems, administration rights should be limited to specific roles only.
- Defence-in-Depth Approach – A layered, defence-in-depth security model is imperative for a more secure approach. This must be extended to all endpoints and servers to ensure they can share security related data.
- Have an effective incident response plan in place and update it as needed. This is something the Security Team at Evros can help you with.
- Data Loss Prevention (DLP) – it’s important to limit the use of removable media to an approved set of users and have an effective DLP solution implemented to prevent data loss.
- Block or disable insecure and vulnerable ports such as RDP (Remote Desktop Protocol), SMB (Server Message Block) on the network firewalls, which can be accessed publicly.
- Block common indicators of compromise such as TOR, I2P, A-EK and other malicious traffic from the threat intelligence feeds provided by your security partners or vendors.
You can read more about the steps involved in preventing and responding to a ransomware attack in our feature, How To Prevent Ransomware Attacks, which also includes a free ransomware protection checklist.
How do I fully protect my business against ransomware?
No one should ignore the risk of ransomware. Even with sophisticated technologies in place, your business may still be vulnerable to insider threats as well as human error via, for example, phishing emails.
The key to protecting your business and not allowing the virus to spread, is rapid detection.
Evros provides 24×7×365 security monitoring and Incidence Response services from our global Security Operations Centres giving our customers the best possible chance of a rapid recovery following a serious attack. We can also give you an overview of where your vulnerabilities may lie in your environment through our Vulnerability Management Services.