Conti Ransomware

HSE Ransomware Attack

In light of the recent Ransomware attacks on HSE IT infrastructure which is being described as the most significant Cyber security attack in the history of the Irish state, we at QuickMinutes wanted to give detailed info on what happened as well as some best practices to avoid Ransomware attacks. We also wanted to give info on how QuickMinutes actively secures its IT infrastructure against these attacks.

It’s been reported that these attacks have come from Russian Cyber criminals using advanced malicious Conti software aka Ransomware to gain access to the HSE network, gather sensitive data and then encrypt the HSE devices and demand a financial sum for the keys to unencrypt the data. We are still unclear on how the attackers gained access to the HSE network but reports suggest it could have been known exploits used on outdated IT software on the HSE staff devices.

What we know about Conti Software;

Conti ransomware is believed to be run by a Russian based cybercrime group known as Wizard Spider. This group uses phishing attacks to install TrickBot and Bazar Loader trojans that provide remote access to the infected machine or machines. They then use this remote access to spread laterally through the network while stealing credentials and harvesting unencrypted data that is stored on workstations and servers. Once they have stolen everything of value and gained access to Windows domain credentials, they wait – during this time they will remain undetected until they strike and deploy the ransomware on the network to encrypt all of its devices. The Conti gang then use the stolen data as leverage forcing the victim to pay the ransom.

Conti is seen as a more sophisticated ransomware type because it is a “double-extortion” ransomware. In other words, where traditional ransomware encrypts files on a computer or system and then unlocks them when a ransom is paid, Conti additionally exfiltrates the data. As a result, the stolen data can then be used to demand a further ransom in exchange for not publishing the data on the dark web.

The original Conti is also a human-operated virus, meaning that rather than automatically worming its way into a system, it can be manipulated by humans.

Some high-profile ransomware attacks conducted by Conti in the past include FreePBX developer Sangoma, IoT chip maker Advantech, Broward County Public Schools (BCPS), and the Scottish Environment Protection Agency (SEPA). The hit on the Scottish Environment Protection Agency (SEPA) took place on Christmas Eve, later publishing roughly 1.2 GB of stolen data on their dark web leak site. Our researchers have noted that the Conti News site has published data stolen from at least 180 victims thus far.

Conti Best Practice Recommendations:

1. Monitor your network security 24/7 and be aware of the early indicators of attack
2. Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)
3. Educate employees on what to look out for in terms of phishing and malicious spam Emails. Don’t click links you are unsure about.
4. Introduce robust security policies
5. Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline.
6. Prevent attackers from getting access to and disabling your security: choose an advanced solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights.
7. Have an effective Incident Response plan in place and make sure it is up-to-date.

QuickMinutes Security Measures:

1. Azure Cloud IT infrastructure

⦿ More than 90 compliance certifications.

⦿ Including over 50 specific to global regions and countries, such as the US, the European Union, Germany, Japan, the UK, India, and China.

⦿ More than 35 compliance certifications specific to the needs of key industries, including health, government, finance,                              education, manufacturing, and media.

⦿ Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, & ENS.

2. Azure WAF Firewall to protect against common exploits and vulnerabilities:

⦿ WAF is based on Core Rule Set (CRS) 3.1, 3.0, or 2.2.9 from the Open Web Application Security Project (OWASP)

3. Data backups in geo redundant locations.

4. Virus and Malware scanning of all files uploaded and downloaded from the QuickMinutes Servers.

5. Files uploaded to QuickMinutes are encrypted at rest. All files uploaded to Azure Storage services come with built-in support for       encryption, based on the 256-bit AES encryption standard. This standard is FIPS 140-2 compliant and is one of the                                   strongest methods  available.

6. Strict security policy rules and procedures for all individuals accessing and using QuickMinutes IT assets and resources.

Now more than ever IT infrastructure should be rigorously tested and updated to the latest security standards to protect sensitive users information.