The importance of patching - ransomware attackers gain access in under a minute
According to Sophos threat researchers, Conti ransomware is currently incredibly active due to the dissolution of DarkSide, REvil and Avaddon.
The three groups operated under a Ransomware-as-a-Service (RaaS) business model. Affiliates of these now-shuttered gangs are looking for a new operator, which Sophos suspects is Conti, as the company's threat researchers see high levels of activity.
According to Sophos, another high alert threat at the moment is ProxyShell, an evolution of the ProxyLogon attack. ProxyShell is easy to exploit and currently a mainstay in adversary playbooks, including those deploying LockFile ransomware. Sophos has confirmed Conti ransomware attackers are leveraging ProxyShell.
"In the Sophos article, Conti Affiliates use Microsoft Exchange Exploit in Ransomware Attack, we detail how the attack takes place to help defenders know what to look for on their systems," says Sophos manager and incident response, Peter Mackenzie.
"We explain tools used, lateral movements, how data was exfiltrated and encrypted, and tips to defend, including the urgent recommendation that organisations with Exchange Server should update and patch servers as soon as possible."
Mackenzie says they want to highlight the speed at which the attack took place.
Contrary to the typical attacker dwell time of weeks or months before they drop ransomware, in this case, the Conti attackers gained access to the target's network and set up a remote web shell in under one minute. Three minutes later, the attackers installed a second backup web shell, which Sophos suspect was added in case the target discovered the first one.
Within 30 minutes, the attackers had generated a complete list of the network's computers, domain controllers, and domain administrators. And just four hours later, the Conti attackers had obtained the credentials of domain administrator accounts and began executing commands. Within 48 hours of gaining that initial access, the attackers had exfiltrated about one terabyte of data.
After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.
The attackers installed an unusual seven backdoors on the network throughout the intrusion, two web shells, Cobalt Strike and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities).
"The attackers used the web shells, installed early on, mainly for initial access," says Mackenzie.
"Cobalt Strike and AnyDesk were the primary tools used for the remainder of the attack. It was swift and efficient. It shows that patching is essential.
"Defenders should patch and deploy preventative security measures, including anti-ransomware and behavioural and machine learning technology, to detect and protect against Conti and other ransomware," he says.