Two Latest Victims of the Conti Ransomware Gang



DESCRIPTION

The online photography platform, Shutterfly, recently made a public announcement that the company had fallen victim to a cyberattack. Shutterfly believes that their systems were first breached on December 3, 2021. The attackers subsequently scoped out Shutterfly’s network and exfiltrated a considerable amount of data that included the personal information of employees such as names, login credentials and salary information. They also managed to seize customer information that included the last four digits of credit card numbers on file. Unfortunately, the company cannot accurately say how many people were affected by the attack. Just two weeks later, American tool manufacturer Snap-on reported a similar incident, stating that a breach took place during a 48-hour period beginning on March 3, 2022, in which 1GB of files were stolen. The compromised data contained the personal information of their employees including names, birth dates, Social Security Numbers (SSNs), and employee identification numbers. The Conti gang, a ransomware organization based in Russia, has taken credit for both attacks.

IDENTIFY INDICATORS OF COMPROMISE (IOC)


Shutterfly became aware of the attack on December 13 when the perpetrators locked down more than 4,000 devices including the company’s VMware ESXI servers that hosted their virtual servers. Once they lost access to their systems, Shutterfly secured its network and brought in an outside cybersecurity team to help to assist in remediation efforts. Shutterfly began an extensive investigation into how the attack was orchestrated and identify the exact data that had been compromised. Days after the discovery of the attack, the Conti organization publicly released more than 7GB of Shutterfly’s data on the dark web to prove they had possession of the information. The initial ransomware attack was also reported by BleepingComputer.com. While Snap-on has not released much detail about their breach, they were able to uncover the attack by detecting unusual activity within their computer systems.

CONTAINMENT (If IoCs are identified)


Both Shutterfly and Snap-on sent data breach notification letters to those whose information was compromised. Both companies also notified the California Attorney General’s office in compliance with the California Consumer Protection Act (CCPA). Details on the steps these companies took to contain the actual attacks has not been made public.

PREVENTION

Conti ransomware is normally deployed using a phishing attack that utilizes malicious attachments such as macro-enabled Microsoft Word documents. These can be thwarted through the combination of an advanced email filtering system and security policy that disables macros in Office applications using the Trust Center Settings within Group Policy. Because Conti also uses the SMB protocol to spread itself amongst Windows devices within the local network, you should disable SMBv1 on all your Windows devices. Other security recommendations include the following:

  • Prevent the lateral movement of Conti or other malware attacks by segmenting your network using a zero-trust strategy. This can be achieved using next generation firewalls to filter inter-VLAN traffic. Because ransomware is often delivered through a phishing attack, filtered segmentation will help to contain a ransomware infestation and prevent it from spreading to critical areas of your network.
  • All computer devices should be protected by some sort of endpoint security solution that is able to detect Ransomware behaviors. While endpoint security by itself is not sufficient, it plays an important role in a multi-layer security strategy.
  • The best insurance against a ransomware attack is an effective backup strategy. While backups won’t help deter a data breach, they will allow you to recover your files to their original decrypted state. Ensure that you have an offsite copy of your backups, that your backup system is segmented from your production network, and that it is protected by a network firewall.


Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile.


Cyber Data Breach News

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.