CISA and FBI Advice on Ransomware Defenses

Posted November 9, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI) recently issued an advisory on the increased use of Conti ransomware-as-a-service (RaaS). The agencies reported a wave of over 400 new attacks on U.S. and international organizations including healthcare systems and first responder networks. The attacks are known to steal critical information, encrypt servers and workstations, and ultimately demand a ransom payment.

As revealed in the advisory, the criminal actors often gain initial access to networks through:

Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments containing embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
Stolen or weak Remote Desktop Protocol (RDP) credentials
Phone calls;
Fake software promoted via search engine optimization;
Other malware distribution networks (e.g., ZLoader); and
Common vulnerabilities in external assets.

After gaining access, the attackers are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The attackers effectively use tools already available on the victim network. These types of attacks known as fileless malware and living off the land increased 888% in the past year according to data from WatchGuard.

The attacks are known to also add additional system tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks. The advisory gives the following recommendations for securing against the attacks.

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

In the advisory the CISA also recommends scanning for vulnerabilities, removing unnecessary applications, implementing endpoint detection and response tools, limiting access to network resources, securing user accounts, and of course, always maintaining a robust and tested backup process.

If you are unsure about your current level of protection or overall readiness to defend against and recover from an attack, contact us. We are here to help.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.