Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
eSentire Warns Ukraine & its Western Allies of Conti’s Long History of Disrupting Critical Infrastructure. Could Conti Be the Perpetrator Who Attacked 3 Oil Storage & Transport Companies in January?
On February 25, one day after Russia’s full-scale invasion into the Ukraine, the notorious Conti Ransomware Gang (formerly known as Ryuk) posted a warning on their data leak site declaring its support for Russia, stating if anyone organized a cyberattack or any war activities against Russia, they would use “all possible resources to strike back at the critical infrastructures of an enemy.” Later that evening, Conti revised its message slightly proclaiming how they condemned the ongoing war, and yet they would use their full capacity to retaliate if there were any attempts to target critical infrastructure in Russia or any Russian-speaking region of the world. On February 27, someone leaked 60,000 chat logs and financial data pertaining to Conti’s activities between January 29, 2021, and February 27, 2022. It is now suspected that it was a Ukrainian security researcher who leaked the data. As a result, some security researchers reported on March 3 that some of Conti’s back-end infrastructure has been taken down by the Conti operators. This doesn’t come as a surprise to eSentire’s security research team, the Threat Response Unit (TRU) because many of the IP addresses for Conti’s servers were shared in the leaked chats. However, the Conti Gang is highly skilled, they are seasoned ransomware operators, they have deep pockets, and several members appear to maintain good relationships with representatives from the U.S. judicial system and the Russian government. See Image 1 and 2.
Image 1—Chat between Conti Operator Mango describing his connections with the Russian community in Brooklyn, NY including a major court judge and a lawyer.
Image 2: Chat between Conti Gang members, Mango and Professor, discussing tracking those who are against the Russian Federation and Mango asking if they are supporting Russia.
Even if the Conti operators dismantle portions of their infrastructure and even go as far as to shut down their operation, TRU believes that they will simply reactivate their operation with new infrastructure and give their Ransomware as a Service a new name. eSentire continues to warn the Ukraine and its Western Allies that if Conti Gang members, loyal to Russia, want to seriously disrupt businesses and critical infrastructure organizations, they certainly possess the skills, the tools and the experience to do so. Conti has a long track record of seriously disrupting critical services, and the threat group continues to target critical infrastructure, in addition to other businesses key to the supply chain. Many security researchers believe Conti first came on the ransomware scene in 2018 under the name of Ryuk. However sometime in 2020, it is believed that the threat actors running Ryuk either split into two groups, rebranded or decided to begin using the “Conti” name. It is also interesting to note that the Conti ransomware code is extremely similar to the Ryuk code base. In addition, the initial Conti ransom note to victims used the same template utilized by Ryuk in earlier attacks.
TRU reports that from November 27, 2021, to February 27, 2022, the Conti Gang claims to have compromised 50+ new victims, and two-thirds of the organizations are based in Europe and the U.K. The remaining victims are in the U.S., Canada, Australia and New Zealand. Most disturbing is a notification that Conti posted on their leak site on February 7, 2022, where they stated they had compromised international terminal operator, SEA-Invest. The Belgium-based company operates terminals in 24 seaports across Europe and Africa, handling liquid bulk (oil and gas), fruit & food, breakbulk, and dry bulk. SEA-Invest reported they had suffered a cyberattack against their IT networks on Sunday, January 30. They said that “all 24 of the seaports they run across Europe and Africa were affected by the attack,” according to the BBC. In TRU’s experience, they have never seen a top ransomware gang claim to have compromised a victim when they have not.
Coincidentally, during the same January 28 weekend, three other large international oil storage/transport companies reported being hit by a significant cyberattack which disrupted their IT systems. The three victims include the Germany-based sister companies, Oiltanking Deutschland GmbH and Mabanaft Deutschland GmbH, and the Netherlands-based company, Evos. News articles chronicling the attack said that Oiltanking’s 11 German terminals were operating at "limited capacity,” and as a result of the attack, it shut down Oiltanking’s loading and unloading process. The loading and unloading process of oil is computerized and it is not possible to shift back to manual controls. Oiltanking Deutschland GmbH supplies 26 companies in Germany with fuel, including 1,955 Shell gas stations. Reuters reported that Shell Deutschland GmbH had been able to “re-route to alternative supply depots” during the attack. However, Oiltanking Deutschland said it had declared “force majeure” because its German terminals were operating on a limited basis. The activation of “force majeure” excuses a company from meeting contractual obligations in an extraordinary event that is beyond its control.
Mabanaft Deutschland GmbH is the leading independent importer and wholesaler of petroleum products in Germany. Press reports said It also declared “force majeure” because the majority of its inland supply activities in Germany were affected. Aral, the largest petrol station network in Germany with around 2,300 stations, said during the incident they began “supplying its stations from alternative sources in light of the disturbance, “ according to a spokesperson for its owner British Petroleum PLc.
To add fuel to the fire, during the same January weekend Netherlands-based Evos, which stores, handles and distributes oil and gas, confirmed in early February that their IT network also got hit by a cyberattack. One news report stated that a spokesperson for Evos claimed that the cyberattack on their IT systems affected its IT services at terminals in Terneuzen, Ghent and Malta and have "caused some delays in execution".
Rob McLeod, VP of eSentire’s Threat Response Unit (TRU) research team, wonders if the cyberattacks that hit Oiltanking, Mabanaft and Evos weren’t also ransomware attacks, and if they weren’t perhaps carried out by the Conti Ransomware Gang? “Conti claimed to have attacked SEA-Invest and during the same weekend, three other oil storage and transportation companies, in the same general region of Europe, get hit by a serious cyberattack,” said McLeod. “The timing is uncanny, and it is plausible that the Conti Ransomware Gang could be behind these latter attacks.” The reasons include:
Image 3. A graphic representation of a simplified kill chain and the specialists involved in a Ransomware-as-a-Service operation, such as Conti.
"As history shows, the Conti threat actors have no compunction about attacking critical infrastructure and seriously disrupting healthcare services, city and county residential programs, school systems, emergency services and oil and gas distribution. Companies and organizations must be prepared to combat these very serious ransomware threats, especially in light of the conflict raging between Russia and Ukraine," said Keplinger. "That requires approaching security as an arms race, in which technology of opposing interests are continually evolving in response to each other. Organizations need to monitor the threat landscape to see what threat actors are doing, assess gaps in their security as they pertain to the latest evasion techniques, and address those gaps through direct implementation – and all three of these processes must be ongoing. The eSentire TRU accomplishes this through the Threat Intelligence team and the Tactical Threat Response team."
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more about how we protect legal firms globally? Connect with an eSentire Security Specialist.