Cyber security firm ESET reported that last year there were hundreds of Conti ransomware attacks, but only a few were detected in Indonesia. But, once detected, the target is no joke, Bank Indonesia.
Looking at ransomware detection alone doesn't give the whole picture because these days, ransomware spreads will usually occur in the later stages of a cyber attack, especially for big hunters like Conti.
It said the cybercriminal gang carried out targeted attacks against large corporate networks, encrypting victims' data and also stealing any valuable information that could be used as hostages.
To achieve their goals, these gangs of poachers use a variety of attack vectors including misconfigured or poorly protected remote access (RDP), purchased or stolen access credentials (such as email delivery access/SMTP), or newly published critical vulnerabilities. such as Log4Shell (Log4j vulnerability) and ProxyShell (vulnerabilities on MS Exchange server).
Additional facts
ESSET also reveals some additional facts about the Conti ransomware:
The Conti Ransomware is known to run a Ransomware-as-a-service model on the dark web with core members of a group focused on malware development and affiliates distributing "products" and extorting victims for ransom.
FinCEN ranks Conti among the most profitable ransomware families
The site ransomwhe.re sees nearly $16 million US dollars transferred to this Ransomware family in 2021, which is thought to be likely only a fraction of their revenue.
Conti's training material or "playbook" and a list of some of the IP addresses in use were recently leaked by one of its disgruntled affiliates
ESET detects this malware under the name W32/Filecoder.Conti since its presence in 2020.
Ransomware protection
Here are some things organizations can do to protect themselves from ransomware attacks:
All employees must undergo regular training to identify cyber security best practices. This can go a long way in lowering the chances of them clicking on potentially dangerous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware.
Always update the operating system and software you use to the latest version, whenever a patch is released
Always plan for the worst and hope for the best, so have a business continuity plan in place in the event of a disaster. This should include a backup of your data and maybe even a backup infrastructure that you can use when you try to restore a locked system
Backups are essential for everyone, be it individuals or large companies. Back up your critical business data regularly and test those backups frequently to see if they are functioning properly, so they don't leave you tied down if you get hit. At least the most valuable data should also be stored offline
Reduce the attack surface by disabling or uninstalling unnecessary software or services. In particular, because remote access services are often the main vector for many ransomware attacks. You would be advised to disable internet-facing RDP completely or at least limit the number of people allowed to access company servers remotely over the internet
Never underestimate the value of a reputable layered security solution. Apart from your employees, this is the first line of defense you should have and run to protect you
from all kinds of threats, not just from ransomware attacks. Also, make sure the product is always patched and up-to-date. It's also important to use a cloud-based sandbox solution to ensure your corporate network is protected against zero-day attacks
Paying the ransom for a decryptor is not recommended. Cybercriminals are criminals, there is no guarantee as to what they will do after receiving payment. Paying the ransom can also mean you are targeting the organization because you will be seen as an organization willing to pay more in the future
Ransomware is a type of malware that is constantly evolving. A comprehensive solution must be done by securing all network entrances (internet, email, endpoints, servers, vpn, usb ports).
