CISA and FBI Advice on Ransomware Defenses
The Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI) recently issued an advisory on the increased use of Conti ransomware-as-a-service (RaaS). The agencies reported a wave of over 400 new attacks on U.S. and international organizations including healthcare systems and first responder networks. The attacks are known to steal critical information, encrypt servers and workstations, and ultimately demand a ransom payment.
As revealed in the advisory, the criminal actors often gain initial access to networks through:
- Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments containing embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Phone calls;
- Fake software promoted via search engine optimization;
- Other malware distribution networks (e.g., ZLoader); and
- Common vulnerabilities in external assets.
After gaining access, the attackers are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The attackers effectively use tools already available on the victim network. These types of attacks known as fileless malware and living off the land increased 888% in the past year according to data from WatchGuard.
The attacks are known to also add additional system tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks. The advisory gives the following recommendations for securing against the attacks.
To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.
In the advisory the CISA also recommends scanning for vulnerabilities, removing unnecessary applications, implementing endpoint detection and response tools, limiting access to network resources, securing user accounts, and of course, always maintaining a robust and tested backup process.
If you are unsure about your current level of protection or overall readiness to defend against and recover from an attack, contact us. We are here to help.