Their main goal is to get access to domain admin accounts that can be used to launch the ransomware. They will have secured access to domain admin accounts as well as other user accounts.Īttackers typically compromise multiple accounts during an attack. Sites like Shodan.io provide insight into what an attacker could find out about your network try using it to search your external IP addresses.ģ. Possible initial access methods for Conti ransomware include, but are not limited to vulnerable firewalls, exposed RDP (Remote Desktop Protocol) services, and phishing user credentials via spam emails.
The attackers could use a variety of different methods to break in your network. They take time to prepare in order to ensure maximum disruption because this enables them to charge higher ransoms.Ģ. The attackers have most likely been on your network for a few days or even weeks.Ĭonti ransomware is operated by humans. If you don’t feel confident about doing this yourself, there is specialist incident response and threat hunting help available 24/7 from security vendors, including Sophos.Īccording to the Sophos Rapid Response team, this is what you need to expect from Conti ransomware activity on your network:ġ. Once you have managed to contain and neutralize the attack, take time to investigate what happened so you can reduce the likelihood of it happening again. If the intruders have been in your network for a while, they’ll probably have access to email, for instance. Last, but definitely not least: you’ll want to talk to people about what’s happening, but the attackers may be eavesdropping so don’t use your normal channels of communication. Also, which machines were protected? They’ll be critical in getting you back on your feet.
Cable group ransomwhere Offline#
Which endpoints, servers and operating systems were affected, what has been lost? Are your backups still intact or has the attacker deleted them? If they are intact, make an offline copy immediately. Only shut down devices if you can’t disconnect the network. If the damage is more widespread than a few devices, consider doing this at the switch level and taking entire network segments offline instead of individual devices. The easiest option is to simply unplug the network cable or turn off the Wi-Fi adapter. If you suspect it is, and you don’t have the tools in place to stop it, determine which devices have been impacted and isolate them immediately.
The first thing you need to do is determine whether the attack is still underway. Click the image to enlarge it What to do immediately: contain and neutralize
On your computer screen there is a message telling you that your systems and data have been encrypted with Conti ransomware and you need to pay a ransom for the attackers to decrypt compromised files and delete stolen information. Imagine the scene: you’re an IT admin and you turn up for work on a Monday morning to find your IT systems are down and no-one can access or run anything.
Cable group ransomwhere series#
The Conti News site has published data stolen from at least 180 victims thus far.Įditor’s note: This is one of a series of articles focused on the Conti ransomware family, which also includes technical details of Conti ransomware, Conti Ransomware: Evasive By Nature and a detailed analysis of a Conti attack, A Conti Ransomware Attack Day-By-Day. Conti is a human-operated “double extortion” ransomware that steals and threatens to expose information as well as encrypting it. Conti has undergone rapid development since its discovery and is known for the speed at which it encrypts and deploys across a target system. It shares some similarities with other families of ransomware, but Sophos believes at this time that it is not related to them. Conti ransomware appeared on the threat landscape in May 2020.
0 kommentar(er)
