This is not a zero day attack. It’s Conti Ransomware.
A zero day attack refers to a computer intrusion whose exploit is a previously un-disclosed vulnerability. Furthermore, ransomware isn’t a zero day, it drops the payload after pivoting off a vulnerability, typically through a Business Email Compromise. From there, a command and control (C2) server is setup to establish persistence. Attacks then focus on gaining root access at the Domain Controller to coordinate the encryption execution. Recent ransomware techniques include exfil of data to further extort and compel a victim to pay the ransom. Once exfil is done, the process to encrypt backups, domain controllers, file servers and identified pertinent company files begin but only after full compromise of these system to ensure maximum effect.
To combat this you only have 2 basic choices. Restore from backup or pay the ransom. The 1st choice requires executing an Incident Response plan and a Disaster Response plan.
3rd parties like CRWD can assist in both. In addition, the victim will want to share the following with law enforcement for additional follow up:
Indicator’s of Compromise (IOC’s): These details ID the ransomware variant, the actor IP’s and other evidence such as malware files…like DLL’s.
Tools, Techniques, and Procedures (TTP’s): Keep in mind, ransomware is the payload! Not the genesis of the compromise. How did the actor’s gain access to your system is crucial to identify what vulnerability they exploited to drop ransomware. Perhaps it was a vulnerability they could use Metaspolit after scanning the system with Nmap. Perhaps they did OSINT to recognize certain people that work in IT for the organization that could fall victim to a BEC while logged in as a Domain Admin?
Furthermore, the victim should provide the bitcoin address to authorities if the ransom is paid to follow the transactions.
To prevent ransomware, the organization needs to perform a cyber hygiene assessment to see where they stand. Next requires building a robust incident response and disaster plan.
Finally, cyber security isn’t a case of spending X amount and you are done. NO!!! It’s recognizing you WILL have an incident and are you prepared to triage? It’s a constant process that evolves as the actors evolve.
CRWD is unique positioned to answer this NEED but I just wanted to explain to everyone some fundamentals about ransomware.
~Bizkikr