CONTI ransomware originally showed up on the scene December 2019. On July 8th 2020 Carbon Black wrote an an article on the CONTI virus. Based on our observation the CONTI ransomware that we encountered while similar are not the same. The version we found did use the Microsoft API to restart applications it used an RSA token to encrypt with instead of the AES-256. We believe the CONTI ransomware that was deployed on our client’s server was done by an insider threat.
Not Your Regular Ransomware Attack
When a company gets hits with ransomware they hope to be able to pay the criminals and be able to get their data decrypted but in our client’s case they were not able to because the emails in the image above would not reply to any attempt to contact them. Why would a cyber crimiminal not want you to pay them? That is easy because it was a crime of revenge. Earlier the client had parted ways with an IT person on less than favorable terms. We were unable to produce any evidence that it was the IT person, but everything pointed to this being an inside job.
The client had a server that was running three virtual machines as different servers. We checked each of the virtual hard drives and found that the CONTI ransomware .EXE file was on all three virtual hard drives but not the physical server or any of the other computers attached to the network. It is our belief that the virus was executed from the VMs and infected the rest of the network. The criminal that did this was intimately aware of how the server was set up. We spoke with an Network admin that our client had hired prior to us and he said that there had been a remote connection to the server at the time of the attack but the IP address led back to a VPN. We also spoke with an IT person that the client had brought into help fix the situation and he pointed out that there was a login credential in the old server for someone who wouldn’t have access to the server.
We were not our client’s first call but they did a pretty good job of starting to fix the situation. We were brought in to try and recover their data. We attempted to use a data recovery tool first in hopes that the we could recover the data prior to them being hit with the CONTI ransomware, but that did not pan out. Since that data the client needed was on a SQL data base we were able to locate the .MDF file for that data base. The virus only encrypted the log file but not the .MDF which is where majority of the data was kept. We tried a couple of MDF file recovery tools before we found the one that worked best for this situation. We ended with MS SQL recovery tool by Stellar. The tool worked just like it should but it was long time because of the size of the file. In the end we were able to start rebuilding the database but it was going to take too long for our client, so they ended up buying the back up copy from the IT person that had parted under unfavorable circumstances. To say the least it was not cheap.
Protecting Against this Type of an Attack
Ransomware is not always as targeted as this but it can be and if it is there is not much you can do about the program it’s self because the attacker would have built the program specificly for your system. The truth is that there are limited and not guaranteed things you can do to prevent it. First, limit remote access to essential and keep a logs of who has remote access. Second, have a third party audit your system to make it’s setup like your IT people say it’s setup. Third, when someone leaves the company audit everything they had access to so if they left on unfavorable circumstances you can be sure they didn’t leave something behind. Last, reset all passwords.
Prevention is not always effective because it’s left to human error. Being prepared is not though because it’s as simple as making back ups that have been audited by a third party. One other idea is to have system separation. In my client’s case it would have been better to run those virtual servers on top of a Linux server, because the ransomware would have been stopped once it reached the host server. Maybe a bit technical but it does work.
This could have all been avoid by our client if they had had someone on their team that was well versed in cyber security. IT people are great but they are are seen as the repair guy and most of them are but a Chief Information Security Officer (CISO) is a technician and a tactician in cyber security. They are the one who plans and ensure your company is prepared to defend against cyber crime. The truth is that most small businesses can’t afford to hire a full-time CISO because they can cost around $160,000 a year. That is why our company offers vCISO services at less than half the cost of a full time CISO. If you are not planning for a insider threat to happen then you are asking to be a victim.