Sophos, the security software and hardware company, has detected multiple confirmed attacks of the Conti ransomware. It is a data encryption and ransom request attack that is executed manually by cyber criminals. In addition, he uses double extortion techniques on his victims. So, once they enter corporate networks, attackers steal their targets’ data before encrypting it. After this, they threaten to publish the stolen information on the “Conti News” website if the company does not pay the ransom. Sophos has identified that the attackers behind the Conti ransomware have released stolen data from at least 180 organizations in recent months.
Sophos researchers and experts from Sophos Rapid Response have detected multiple confirmed Conti ransomware attacks in the last 6 months. It is a global threat that mainly affects companies in North America and Western Europe.
From its first appearance, researchers assumed that Conti was Ryuk’s successor although a crucial difference has been identified in the criminal group behind the Conti ransomware. Cybercriminals who launch this type of attack use double extortion techniques. With the aim of threatening to leak the stolen data to force the victims to pay the ransom. With the information published by cybercriminals on the website Conti News, Sophos has created a victimological profile to identify what type of companies are being attacked by this family of ransomware. Despite the fact that these types of attacks can be directed at companies in any sector, the companies most attacked so far by Conti ransomware belong to the retail (26), industry (25), construction (20) and public administrations (14) sectors. ).
In targeted attacks with people at the helm, adversaries can adapt and react to changing situations in real time. In the case of the latest Conti ransomware attack identified by Sophos, the attackers accessed two servers simultaneously. The IT team of the attacked company detected the attack and deactivated one of the servers, believing that they had stopped the attack in time. However, the cybercriminals simply switched servers. And then they continued their attack from the second compromised server. Having a ‘Plan B’ is a common approach to human-led cyber attacks. It serves as a reminder that just because suspicious activity on our network stops, it doesn’t mean the attack is over.
Peter Mackenzie, Manager at Sophos Rapid Response.
In companies without a dedicated security team, IT administrators are on the front lines against ransomware attacks. “They are the ones who come to work one morning and find everything locked up along with a ransom note on computer screens, sometimes followed by threatening emails and even calls,” says Mackenzie.
Basic actions to help IT managers
- Turn off Internet-connected Remote Desktop Protocol (RDP) to prevent cybercriminals from accessing networks.
- If you need to access an RDP, do it through a VPN connection.
- Enforce a layered security policy to prevent, protect and detect cyber attacks, including Endpoint Detection and Response (EDR) capabilities and Managed Security Incident Response Teams that monitor business networks 24/7.
- Learn about the 5 early indicators of the presence of a cyber attacker to stop ransomware attacks.
- Have an effective incident response plan in place and update it when necessary. If you feel you don’t have the resources or skills to develop a security plan, monitor potential threats, or respond to emergency incidents, consider using outside experts to keep your business protected.