ManageEngine) ae / a Bs Od b-7BY Usss recommended strategies to thwart Conti ransomwareFBI-CISA-NSA-USSS recommended strategies to thwart Conti ransomware ‘The Conti ransomware attack on Ireland's healthcare system is. predicted to costa whopping $100 milion Bre eon ancthiorcoatck this crisis, which the government and HSE (Health Service Executive) must also ‘quantify—the cost in relation to health and lives—how many A detailed investigation into the incident revealed that it was the largest eyberattack ever waged on a healtheare system PricewaterhouseCoopers published an exhaustive report about the attack in December 2021, recommending security measures toprevent such attacks in the future. However, implementing People had hospital these security measures would require separate investment appointments cancelled or apart from the estimated $100 milion postponed, how many people died asaresult of this PeadarToibn, an ish politician, says they've already paid a more cyberattack? valuable price for the ransomware attack: Per bh pen ManageEnaini®) ‘AD360Impact of the Conti ransomware attack on the Irish healthcare system Ireland spent $14.2 milion on ICT infrastructure, $6.1 million for external cybersecurity suppor, $17.1 million for vendor support, and $9.4 milion for Office 365 subscriptions Nearly 700G8 of sensitive data, including PHI, was stolen A staggering 80% of the HSE's systems were shut dawn, severely affecting healthcare throughout Ireland Numerous radiology appointments were canceled, and the issuing of COVID-19 test results as well as birth and death certificates was delayed The private information of thousands who had taken the COVID-19 vaccine was leaked The Conti ransomwareattack shut down the HSE's payment system, affecting nearly 146,000 of its employees ‘Access to diagnostic records and medical reports was blocked ‘The attack also impacted pediatric care, maternity services, and outpatient appointments allover Ireland ManageE nan) ‘AD360tre GD) So where did this “)/ allstart = | may, 2021 to May 12 ManageE nan)e oata| May 20 suner4\@ . MAY 14 °\ May2t May24 'e} Soptomber21 theteest actor hacked numerous privlegedaccounts anc errs stati. None ofthese actives wereicentified anc ManageE nan) ‘AD360Major Conti ransomware attack victims Delta Electronics, a supplier for Apple and Tesla Impact Demanded 15 milion in ransom and hacked ‘more than 1500 servers and 12,000 computers Date: January 2022 ‘W South Australian Government pact Stole Pil from between 38,000 and 80,000 ‘government employees Date: Novernbor 2021 RR Donnelley, a marketing giant Impact Stole and leaked 2568 of data Date: anusry 2022 SW Bank of Indonesia Impact Stole 13.6868 of data Date: December 2021 ManageE nan) ‘AD360Major Conti ransomware attack victims Meyer Corporation, the largest cookware distributor in the US Impact Stole Pil of thousands of amployees, including theit SSNs, health insurance information, and {dots about their passports, COVID vaccination cards, and immigration status Date: October 2021 Finite Recruitment Impact Stole 30068 of data, including sensitive personal information such as passport and bank Sccount deta Date: October 2021 ‘W Broward County Public School Impact Stole more than 1Tof daa, including bank ‘account detalls, and demanded a ransom of ‘$40 milion Date March 2021 | Graff, a multinational jeweler Impact Threatened to disclose the personal dots of high-profile customers such as Oprah Winfrey, Donald Trump, Tom Hanks, and David Beckharn ‘nd leaked 69,000 sensitive documents Date: Octber 2021 ManageE nan) ‘AD360Why you should beware of Conti ransomware attacks Contiis a Ransomware.as a Service (Raa5) toolkit supposedly designed and controlled by a group ofcyberthreat actors called Wizard Spider, based outof Russia ‘The Federal Bureau of Investigation (FB), the United States Secret Service (USSS), the National Security Agency (WSA), and the Cybersecurity Infrastructure Security Agency (CISA) eleaseda joint advisory Following the attacks ‘en ver 1,000 US and international organizations ‘The FB identified a shocking 16 Cont ransomware attacks targeting US healthcare, including emergency services, and law enforcement agencies ‘The US Department of Health and Human Services also reported thatthe Conti gang had been fiercely targeting healthcare and public sectors, and predicted this trend will continue What is RaaS? aa i fully developed, ready deployable toolkit that anyone can purchase off the dark web and use to launch a ransomware attack. Similar to SaaS, it has 2437 suppor forums, user reviews, and more. ManageE nan) ‘AD360Modus operandi of the Conti ransomware gang Double extortion is one of the trending strategies among cybercriminals, and it also happens to be the Conti gang's go-to scheme According to the FBI-NSA-CISA-USSS joint advisory, the attack vector is usually one of these three: + Stolen or weak RDP credentials + Malicious attachments through phishing emails + Malicious links via phishing emails ManageE nan) ‘AD360Modus operandi of the Conti ransomware gang Once a user takes the bait, malware like TrickBot, IcedID, or Cobalt Strike is dropped into the victim’s IT environment, moving laterally, escalating privileges, and eventually deploying Conti ransomware Sensitive data and high-value assets are uncovered using reconnaissance tools and exfiltrated to the Conti gang's secure location. This process is called data harvesting, and it comes of help once the attack is complete, as the victim is not, only in danger of data loss but also a data leak The fim’s data is encrypted and a ransom note is displayed ManageE nan) ‘AD360® Interesting facts about the Conti ransomware gang Recent insights into the infamous Conti gang revealed that itis a fully functional organization with over 100 employees, a CEO, policies, and best practices to evade law enforcement ® The organization also includes a journalist who is offered 5% of returns to pressure victims to pay up ManageEngini®) ‘AD360Mitigation strategies recommended by the FBI, CISA, NSA, and USSS Use MFA ‘Require your users to go through another layer of verification in addition to passwords. This way, even it ‘the adversary knows the password, they silhave to crack another layer of defense Implement network segmentation and filter traffic ‘Segment your network into as many sub-networks as possible te contain an attack inthe event that one happens .Flterinboundand outbound traffic with known malicious IPaddresses © Usestiong spam fikesto prevent phishing attacks 4 Implement a URL blocklstto prevent users from accessing malicious websites s and keep software updated Scan for vulnerabi Set up antivirus and atimalware programs and checkif the softwareis up-to-date periodically ManageE nan) ‘AD360Mitigation strategies recommended by the FBI, CISA, NSA, and USSS Remove unnecessary applications and apply controls Remove any unused applications especialy remote desktop or remote monitoring and ‘management software because Contiis known to exploit vunerabiltiesin these applications Secure user accounts ‘Audit admin sccounts and monitor aut logs regulary Implement endpoint detection and response tools Constantly monitor endpoints for any suspicious activity Limit access to resources over the network Limit access ta resources over the network ManageE nan) ‘AD360How ManageEngine + AD360 can help ManageEngine AD360 is an integrated, holistic identity governance and administration solution with power-packed features to combat ransomware attacks. Let's see how AD360 can help you implement the FBI-CISA-NSA-USSS recommended mitigation strategies in your IT landscape. ManageEnaini®) ‘AD360Enable MFA for endpoints, RDP and VPN logins, cloud apps, and more MFA rapidly reduces the chances ofa successful ransomware attack because even i the adversary manages to capture user passwords through a phishing attack, they'l stil have toget through another level of authentication Vulnerable ROP and VPN connections are an attractive attack vector for adversaries. The infamous happened because of an unguarded VPN connection. With the exponential rise in RDP and VPN attacks, ithas become essential 0 secure RDP and VPN endpoints ‘AD360 supports MFA for machine logins (Windows, macOS, and Linux machines), ROP and VPN logins, enterprise applications, and OWA logins Itoffers a myriad of concrete authentication factors to choose from, including Yubikey, biometric, smartcard, Google Authenticator, and Microsoft Authenticator ‘AD360's user-friendly interface helps admins configure MFA in afew clicks ManageE nan) ‘AD360VPN providers you can secure with MFA using AD360 Check Point Endpoint Connect Fortinet poe! % SonicWall Global VPN ee OpenVPN Access Server * Palo Alto Networ! ~ Windows native VPN i) % Juniper and other RADIUS- supported VPN providers % — SonicWall NetExtender > Pulse ManageEnain) ‘AD360)) Use context-based authentication to fortify your cyberdefense Identify behavioral anomaliesin logins and decice whether you want tallow access, block access, oF require an additional MEA factor to ensure they are a legitimate user. Behavioral ‘anomalies could be anything ranging from unusual business hours or geographical locations to malicious IP addresses. For example, you can block or enforce an additional MFA factor for logins originating from high-risk countries such as Russia and China, =) — @ voeksccess Users Business hours gy Vertidemity with ManageE nan) ‘AD360Q Privileged user \ monitoring Even fa threat actor manages to infitrate your IT landscape, itis privilege escalation that takes a ransomware attack to the next level, causing extensive damage. With AD360, you can leverage Al-powered user behavior analytics to auditadmin activities A. Detect privilege escalations instantly Identify privilege escalation in eal time by triggering alerts when ‘a user accesses privileges forthe fist time and by ensuring that the user's role aligns with thei activities in your IT landscape. Receive notifications on suspicious activities |AD360 lets you configure alerts on suspicious activities, Get notified instantly when huge chunks of data are deleted, audit, logs are cleared, or someone accesses sensitive data outside work hours ManageE nan) ‘AD360Q Privileged user Y monitoring C. Audit privileged user access to critical data Keep a close eye on admin activities on sensitive resources and, detect any malicious activity right away D. Discover behavioral anomalies Leverage user behavior analytics to identify erratic behavioral patterns quickly. This helps you detect threat actors using stolen credentials to access your IT environment, E. Identify compliance violations Closely examine privileged user access to PHI and other data that's requlated by compliance policies such as HIPAA or the PCI SS, and report any violations immediately ManageE nan) ‘AD360Monitor inbound and outbound emails, attachments, and more Mailboxes are the frst point of contact to phishing campaigns, Threat actors employ advanced techniques to make phishing ‘emails appear credible. They even go tothe extent of forging ‘government seals or signatures to deceive recipients .AD360 provides a myriad of preconfigured reports on your Exchange and M365 mailboxes that will give you actionable insights into inbound and outbound trafic, mailbox usage, permissions, attachments, and more. You can also configure alerts to notify you inatantly when there's suspicious activity ManageE nan) ‘AD360[ Ensure a disaster \ recovery plan is in place NW Proactive measures are necessary to keep ransomware attacks at bay. However n the event of a successful ransomware attack, your organization should be equipped with a concrete disaster recovery strategy. A successful ransomware attack leads to significant loss of sensitive data, and in some cases, ike the HSE attack, the impact of halting critical operations is worse than having to pay a huge ransom, Backup and restoration, on the other hand, isa strenuous task to perform with legacy systems. Thisis where AD360 comesinto play. ‘AD360 gives you a unified console to menage your Active Directory Exchange, and Microsoft 365 backups in one go. With AD360, you can recover all your critical data in few clicks and ensure the smooth functioning of your business operations even in the face of a ransomware attack ManageE nan) ‘AD360Indicators of compromise ManageFootnotes Https://www.cisa.gov/uscert/ncas/alerts/aa21-265a Https://www.rte.ie/news/ireland/2022/0223/1282617-cyber-attack-cost/ https://www-hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-f ull-report.pdF identities, ‘AD360en-suite) AD360 Le Welt) For choosing ManageEngine AD360