The US Cyber Security and Infrastructure Security Agency (CISA) has issued a fresh warning to defenders following a surge in cyber attacks perpetrated by the Conti ransomware-as-a-service (RaaS) cyber crime syndicate, the group that attacked the Irish health service earlier this year.
CISA, working alongside its partners at the FBI, said it had observed over 500 attacks using Conti ransomware against targets around the world, with affiliates on the gang’s payroll leveraging a number of different techniques to infiltrate their victims.
These include targeted spear phishing, exploiting remote monitoring, management and desktop software, and the PrintNightmare and Zerologon vulnerabilities.
“The FBI, along with our partners at CISA and NSA [the US National Security Agency], is committed to providing resources in an effort to help public and private sector entities protect their systems against ransomware attacks,” said assistant director Bryan Vorndran of the FBI’s cyber division.
“Our collaborative partnerships and common sense of purpose are essential to our collective fight and when combined with our world-class capabilities, we can discourage this criminal behaviour by enacting a wide range of consequences against these malicious cyber actors.”
Eric Goldstein, executive assistant director for cyber security at CISA, said: “Americans are routinely experiencing real-world consequences of the ransomware epidemic as malicious cyber actors continue to target large and small businesses, organisations and governments.
“CISA, FBI and NSA work tirelessly to assess cyber threats and advise our domestic and international partners on how they can reduce the risk and strengthen their own capabilities. We encourage Americans to visit stopransomware.gov to learn how to improve their own cyber security to mitigate risk of becoming a victim of ransomware.”
As ever, official advice is that paying a ransom is strongly discouraged as it encourages and emboldens cyber criminals to conduct further attacks and is no guarantee of data recovery.
“We can meet fire with fire. Sure, the threat actors might get in, but so what? We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection”
Sam Curry, Cybereason
Robert Golladay, Europe, Middle East and Africa (EMEA) and Asia-Pacific (APAC) director at Illusive, said the surge in attacks was unsurprising. “Threat actors are constantly stepping up their game and improving their tools to increase their success rate. And then sharing what works – they effectively operate a ‘GitHub’ for attackers, sharing code once they’ve been successful with a technique,” he told Computer Weekly.
“Once an attacker is in the network, which inevitably will happen, it won’t take them long to move laterally to target ‘crown jewels’. At this point, it’s too late for companies to save their valuable data and assets. Along with implementing zero trust, network segmentation and updating operating systems and software, companies should be deploying an active defence, including deception technology, to catch attackers moving across the network.
“Any undetected movement through the systems will be caught and stopped mid-tracks. This is the most secure way to keep company assets protected and prevent any large-scale attacks,” added Golladay.
Cybereason chief security officer Sam Curry also urged cyber teams to step up their defensive game. “If we have learned anything from the deluge of ransomware attacks in 2021, [it’s that] the public and private sector need to invest now to ratchet up prevention and detection and improve resilience,” he said.
“We can meet fire with fire. Sure, the threat actors might get in, but so what? We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can – in short – make material breaches a thing of the past. So what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defences.”