According to the Australian Cyber Security Centre (ACSC), many Australian enterprises from diverse industrial verticals have been attacked by Conti ransomware attacks in November and December 2021. This practice has occurred in a variety of industries. Demands for ransom money have been made to victims.
In addition to data encryption and the resulting damage to businesses’ ability to operate normally, victims have had data stolen during ransomware events, including Personally Identifiable Information (PII). The warning comes after a ransomware operation on CS Energy’s corporate ICT network in November, which was incorrectly connected to a Chinese-backed hacker gang by local media.
However, according to CS Energy CEO Andrew Bills, the business found no evidence that the cyber event resulted from a state-sponsored attack. When the Australian energy supplier identified the hack on November 27, the Conti ransomware group claimed responsibility. Conti has yet to provide any of the CS Energy files that were taken.
The ACSC also released a ransomware profile that includes further information on the Conti gang, including first access indicators, targeted sectors, and mitigating methods.
“The threat actors involved in the deployment of the Conti ransomware frequently change attack patterns, and quickly take advantage of newly disclosed vulnerabilities to compromise and operate within networks before network owners are able to apply patches or mitigations,” the agency added.
The ACSC offers mitigations centering Conti TTPs (Tactics, Techniques, and Procedures), such as:
- activating multifactor authentication (MFA) to prevent the use of stolen credentials
- encrypting sensitive data at rest to prevent sensitive information from being leaked
- restricting admin privileges and segmenting corporate networks to prevent attempts at privilege escalation and lateral movement
- maintaining frequent backups to lessen the impact of attacks