Last Updated: 17/05/21 12:00
Integrity360 has deployed our Incident Response Team to support a number of clients who may be affected by the ransomware attack widely reported on in Irish media.
Our teams are committed to supporting the wider health community, as well as our clients and advise all organisations of the need to increase vigilance within your own environment in relation to this attack.
The Threat & Impact
The ransomware is believed to resemble “Conti” which is a ransomware tool that has been in operation since at least December 2019, believed to be derived from the “Ryuk” ransomware variant. Conti is often deployed using the “TrickBot” infrastructure. It is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack. Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail.
The ransomware is believed to be a new variant of Conti, previously unknown by security vendors. Update 17/05/21: The NCSC has observed that the threat actors used is Cobalt Strike.
Recommendations
As best practice, Integrity360 would recommend that businesses increase vigilance of their environment ensuring:
Conti is known to exfiltrate data before attacking so concerned organisations should also review exfiltrated files from the past month as a proactive measure.
Update 17/05/21: The National Cyber Security Centre (NCSC) has issued their advisory on the ransomware attack which details the background, response and remediation efforts in detail. They also outline the assessment of the variant of Conti ransomware in use and the indicators of compromise (IOCs) which have been observed. We advise organisations to take note of these IOCs, also listed below.
We will continue to provide updates, links and resources on this dedicated page as new information comes to light.
Should you require assistance relating to the above advisory, please use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.
Related Information
Indicators of Compromise
The NCSC have outlined the following indicators of compromise which have been observed related to this incident in their advisory:
- Conti SHA256:
d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
- Cobalt Strike SHA256:
234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a
- Cobalt Strike SHA256:
1429190cf3b36dae7e439b4314fe160e435ea42c0f3e6f45f8a0a33e1e12258f
- Cobalt Strike SHA256: 8837868b6279df6a700b3931c31e4542a47f7476f50484bdf907450a8d8e9408
- Cobalt Strike SHA256: a390038e21cbf92c36987041511dcd8dcfe836ebbabee733349e0b17af9ad4eb
- Cobalt Strike SHA256: d4a1cd9de04334e989418b75f64fb2cfbacaa5b650197432ca277132677308ce
- Filename: _EXE.bat
- Filename: _COPY.bat
- Lazagne SHA256: 5a2e947aace9e081ecd2cfa7bc2e485528238555c7eeb6bcca560576d4750a50