Battling Conti “Double Extortion” Ransomware: Best Practices for Channel Partners
Over the last few years, no cyberthreat has had a more destructive impact than ransomware. From exposing major weaknesses in IT defenses to running up trillions of dollars in damages across different industries, it is one of the defining threats of this era. Though it is most commonly known for encrypting victims’ files, with attackers demanding ransom in order to restore access to data, ransomware is an evolving force. New variants and attack methods are constantly emerging as crooks chase bigger pay outs.
Recently, ransomware attackers have started stealing data from victims and threatening to expose it as an extra layer of extortion on top of typical data encryption. One example of this human-operated “double extortion” ransomware is Conti, which is unique because its operators have also created a “Conti News” site to publish the stolen information if the organization does not pay the ransom. Sophos researchers and incident responders have found that Conti News has published data stolen from at least 180 victims to date.
Conti ransomware is also evasive by nature. Because attackers use a technique that pushes the malware directly into memory, never writing the ransomware binary to the infected computer’s file system, the attackers leave no artifacts behind for investigators to find and examine.
Dealing with a cyberattack – whether it’s Conti or any other strain of ransomware – can be a stressful experience for channel partners. It can be tempting to clear the immediate threat and close the book on the incident, but the truth is that in doing so, you are unlikely to have eliminated all traces of the attack.
After all, Conti ransomware is operated by humans who take the time to prepare for maximum disruption. If your customer has been hit by Conti, you can expect that attackers used a variety of methods to break into the network, installing backdoors that allowed them to come and go and potentially disabling security solutions. Because attackers have likely been on the network for a few days or even weeks, they will have secured access to admin accounts and scanned the network, understanding how many servers and endpoints there are and where the customer keeps its backups and business-critical data and applications. They may also have exfiltrated hundreds of gigabytes of corporate data prior to the main ransomware event.
This is why it’s so important to take the time to identify how the attackers got in, learn from any mistakes, and make critical improvements. In addition to a thorough investigation, there are also several proactive steps that channel partners can take to enhance customers’ IT security for the future, including:
- Monitoring the network 24/7 and being aware of the five early indicators an attacker is present to stop ransomware attacks before they launch.
- Shutting down Internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce multi-factor authentication (MFA).
- Using layered security to prevent, protect and detect cyberattacks, including endpoint detection and response (EDR) capabilities and managed response teams who watch networks 24/7. Remember, there is no silver bullet for protection.
- Having an effective incident response plan in place and updating it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help.
To keep up with the ever-changing threat landscape and ensure the best protection against emerging threats like Conti, service providers should partner with a vendor that is committed to sharing knowledge about new threats and is continuously innovating to offer the best next-generation security solutions and services, like Sophos Intercept X, Sophos Managed Threat Response, and Sophos Rapid Response.
Sophos is dedicated to helping partners meet the cybersecurity challenges of the current era, and new challenges as they arise. Check out a new three-part series on the Realities of Conti Ransomware, that includes:
- A Conti Ransomware Attack Day-By-Day – Analysis of a Conti attack, including Indicators of Compromise (IoCs) and tactics, techniques and procedures (TTPs)
- Conti Ransomware: Evasive By Nature – A technical overview by SophosLabs researchers
- What to Expect When You’ve Been Hit with Conti Ransomware – An essential guide for IT admins facing the impact of a Conti attack