Defending Against Conti Ransomware: Why CISA Urgently Recommends Segmentation
Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory surrounding the ongoing wave of Conti ransomware attacks — a ransomware-as-a-service (RaaS) model variant known to have been behind more than 400 attacks on U.S. and international organizations since its inception in 2020.
Conti is just the latest in the ongoing ransomware scourge. As we near the one-year anniversary of the SolarWinds breach, ransomware attacks continue to evolve and abound — on an unequivocal scale.
Now more than ever before, it’s imperative that organizations take the steps needed to shore up their cyber resiliency — not just to protect and defend their own businesses but also their customers and supply chains from the wave of ongoing ransomware attacks.
What Is Conti?
According to the joint advisory from CISA and the FBI, “In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.”
The advisory also noted that Conti developers often pay the ransomware’s deployers a wage rather than a percentage of the proceeds from a successful attack. This revelation makes the model itself even more alarming, as deployers are paid regardless of how "successful" a given attack is.
Earlier this month, SiliconANGLE reported that Conti’s “been linked to a range of attacks, including one targeting Ireland’s health service in May...Previous Conti victims include industrial computer manufacturer Advantech in November, VOIP hardware and software maker Sangoma Technologies in December and hospitals in Florida and Texas in February.”
SiliconANGLE also noted that Conti was the subject of an FBI warning in May that said that the gang and its affiliates were targeting healthcare providers – a vital sector, particularly as the Covid-19 pandemic continues.
Safeguarding Against Conti
In order to secure systems against Conti ransomware, CISA and the FBI recommend the following precautions – Zero Trust and segmentation principles are chief among them:
- Use multi-factor authentication to remotely access networks from external sources.
- Implement network segmentation and filter traffic. Implement and ensure robust network segmentation between networks and functions to reduce the spread of the ransomware. Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Enable strong spam filters to prevent phishing emails from reaching end users.
Organizations should also consider implementing a user training program to discourage users from visiting malicious websites or opening malicious attachments. IT teams should implement a URL blocklist and/or allowlist to prevent users from accessing malicious websites; with more advanced technology toolkits, this can be automated.
- Scan for vulnerabilities and keep software updated. Set antivirus and antimalware programs to conduct regular scans of network assets using up-to-date signatures. Organizations should also ensure that they’re upgrading software and operating systems, applications, and firmware on network assets in a timely manner.
- Remove unnecessary applications and apply controls. Remove any application not deemed necessary for day-to-day operations. Investigate any unauthorized software.
- Implement endpoint and detection response tools. Endpoint and detection response tools are known to enhance the visibility that SecOps teams have into any given cybersecurity environment — meaning that malicious cyber actors and potential threats can be identified and better mitigated early on.
- Secure user accounts. Regularly audit administrative user accounts and configure access controls under the principles of least privilege (Zero Trust) and separation of duties. Organizations should also regularly audit logs to ensure new accounts are legitimate users.
As more RaaS models and ransomware strains come to light, it’s essential that organizations identify and minimize any potential threat vectors or vulnerabilities early on. Among the recommendations outlined above, one of the critical best practices that organizations should act upon today is segmentation.
Here's How Illumio Can Help
Illumio stops ransomware in its tracks and, unlike legacy network segmentation, evolves with your organization by delivering:
- Simple and fast segmentation. With Illumio, you can segment applications, users and specific assets in minutes using automatic policy creation.
In the case of Conti, the ransomware exploited server message block (SMB) and remote desktop protocol (RDP) to move laterally. With Illumio Core, you can write a simple policy that blocks both of these protocols across your estate, except where they’re absolutely necessary – quickly and effectively reducing risk exposure.
- Policy that scales with your dynamic environments. Since Illumio uses your existing infrastructure to enforce policy, it will scale alongside your network as it evolves.
- Segmentation at the host level. By using existing host-based firewalls, you can manage all your segmentation policies from a single cloud instance without having to touch the infrastructure or move cables.
Learn more about how Illumio can dramatically reduce your risk by limiting the reach of a successful breach: Read the paper, How to Prevent Ransomware From Becoming a Cyber Disaster, and check out the blog post, 9 Reasons to Use Illumio to Fight Ransomware.
For additional information on the Conti ransomware gang, visit the official advisory page.