The Conti ransomware group is noted for its aggressive strategies and massive attacks on a variety of public and commercial entities. It has become one of the most infamous cybercrime collectives in the world. Conti has emphasized the significance of developing a comprehensive response plan to lessen the impact of what might be extremely destructive to the company’s assets.
Conti has attracted a lot of attention in 2022 for its extreme strategies. We will take a look back at how Conti came to be such a staple in the ransomware environment. Understanding this part is crucial for your organization’s understanding in particular as well as for providing a look back on ransomware attacks in general.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
What is Conti Ransomware?
A ransomware-as-a-service (RaaS) subsidiary program is called Conti. Conti is a highly destructive ransomware because of the rapidity with which it encrypts data and spreads to other systems. It was first noticed in 2020 and is suspected to be led by the Wizard Spider cybercrime group based in Russia.
Over the past two years, Conti has been among the most aggressive ransomware operations, and it continues to target numerous large corporations as well as governmental, law enforcement, and healthcare organizations. Contrary to other ransomware groups that typically care about their notoriety, researchers warn that Conti doesn’t always keep its commitments to victims.
How does Conti Ransomware work?
Conti ransomware is using phishing attacks to install TrickBot and BazarLoader. They send emails claiming to be from a trusted source that contain a link that leads to a malicious document. When the victim downloads the malicious Google Drive document, a Bazaar backdoor Trojan is also downloaded, connecting the victim’s device to Conti’s command-and-control server. Conti spreads quickly using a multithreading mechanism, which makes it challenging to stop.
SMB (Server Message Block) is the transmission medium used by Conti ransomware. They are actually able to encrypt data on other systems in a network in this way. When Conti is present on a hacked system, it encrypts data before applying a two-step extortion scheme.
In recent years, double extortion ransomware has grown in popularity. Before encrypting the victim’s data, attackers exfiltrate large amounts of confidential information. If the attackers do not receive payment before the decryption process is complete, the data will be public.
In this scam, the victim is asked to pay a ransom and then forced to pay an extortion fee. As a final step, the malicious actor threatens to release more encrypted data if the ransom is not paid.
Conti ransomware operators will use a multitude of approaches to infiltrate a victim’s systems. The hackers would generally start by utilizing social engineering techniques, to get an employee to pass up credentials. They may also attempt to exploit vulnerable firewalls or target Remote Desktop Protocol (RDP) servers accessible over the internet.
It is common for attackers to attempt to gain access to domain admin accounts after gaining network access. The ransomware code can then be executed. Additionally, they will now attempt to log into any privileged accounts that could give them access to valuable information. Alternatively, lateral movement may be achieved by disabling security management software.
Conti ransomware attackers would often examine your network for servers, backups, endpoints, sensitive data, programs, and protective software to assist them in organizing an assault. They’ll construct a list of IP addresses using advanced port scanners. They’ll also compile a list of server names to hunt for indicators as to what they’re for. A domain controller, is more likely to be referred to as DC1.
Getting the Credentials
Credentials are commonly retrieved from memory by attackers using popular post-exploitation tools. To obtain the administrator’s credentials, they might even attempt to intentionally damage internal things.
Attackers try to install backdoors so they can spend more time installing tools and conducting cyber espionage. They can also send data to their Command and Control (C&C) servers and monitor network activity through backdoors, enabling them to diagnose how a victim is recovering from an attack.
The attackers will attempt to capture as much business-related information as possible prior to executing the ransomware code. Attackers typically employ data discovery methods to find sensitive data. An attacker, as you might assume, can exfiltrate data in a variety of ways. They have the option of saving the files on their own server, sending them through email, or uploading them to one or more private cloud storage containers.
They will begin the ransomware assault after extracting as much data as possible, deleting/encrypting any backups, and deactivating the essential security measures. In most cases, they will employ some form of remote code execution to disseminate the ransomware program when no administrators are present. To deploy the code to as many servers and endpoints as possible, batch scripts will be used to cycle over the list of recognized IP addresses. In other cases, they infect a logon script in a Group Policy Object (GPO), which executes the code every time the machine boots up and connects to the domain.
Monitoring the Activities
Attackers often install backdoors to monitor how the victim responds to the attack. They may also monitor correspondence to see how the victim plans to proceed with recovery. If the victim tries to recover their files to avoid paying the ransom, the attackers may launch a second attack to demonstrate their visibility and control over the victim’s network.
Recent Conti Ransomware Attacks
The Conti ransomware is one of the most potent ransomware groups on the market. It was responsible for various high-profile intrusions, including those of the governments of Costa Rica and Peru, numerous merchants, and essential infrastructure, such as the Irish healthcare system.
Conti attacks have been identified worldwide, with the United States accumulating over a million attack attempts between January 1 and November 12, 2021. The Netherlands came in second, while Taiwan came in third.
The retail business experienced the highest number of Conti attack attempts, followed by insurance, manufacturing, and telecommunications. Healthcare is sixth on the list, having been targeted by Conti operators in high-profile attacks this year.
Conti, the notorious ransomware group, went out with a bang earlier in May, shutting down critical infrastructure and beginning a significant reset of operations. The decommissioning comes just weeks after it launched an attack on Costa Rica’s government and sought a change of government in the Central American country.
- A Japanese electronic multinational company, JVCKenwood, became a recent victim of ransomware exploits by Conti Group. The threat actors claim to have stolen 1.7 TB of data and demand a $7 million ransom in return.
- The Conti Group demanded $20 million in ransom from Ireland’s health service, the HSE, but the organization says it will not comply. The country’s health care was disrupted and computers were encrypted as result.
- After Conti Group sided with Russia over the invasion of Ukraine, a Ukrainian security researcher released more than 60,000 internal messages from the gang operation online.
Is Conti Dangerous?
The syndicate has been extremely dangerous, having targeted the IT systems of numerous businesses worldwide. Conti’s efforts and achievements demonstrate that the ransom extortion paradigm has matured.
According to the FBI, the Conti ransomware version is “the costliest strain of ransomware ever documented.” It is estimated that more than 1,000 victims have been affected by Conti ransomware assaults, with total victim compensation exceeding $150 million as of January 2022. The FBI also accuses the Conti gang of being behind hundreds of ransomware assaults over the last two years.
How to protect yourself from Conti Ransomware?
Please Do Not Pay the Ransom
Paying the ransom does not ensure access to a working decryption key, nor does it guarantee that the perpetrators will not start another ransomware attack against you or expose your exfiltrated data.
Although the cybersecurity community firmly opposes ransom payments, confident leaders choose to do so. Targeted ransomware attacks often do extensive reconnaissance before starting their attack and may demand 5 to 15% of your annual income. Often, the attackers’ support staff (collections team) will recommend negotiating with the Conti ransomware group.
Data Storage and Recovery
Typically, ransomware hunt to encrypt files on network storage. We’ve seen some examples where the victim had non-isolated backups, allowing attackers to encrypt them. The backups were isolated/air-gapped in certain circumstances. Nonetheless, the digital key to unlock the backups was found in the ransomware-encrypted local file-sharing network. In one scenario, the backups and digital key were air-gapped from the targeted network; unfortunately, they have been located hundreds of kilometers away, complicating complete restoration.
What’s the Latest on Conti?
According to threat data provider AdvIntel, the Conti ransomware organization renames itself to several other ransomware groups.
According to Google, several former members of the Conti cybercrime gang are now part of a threat group known as UAC-0098 and are targeting Ukrainian and European non-governmental organizations (NGOs). UAC-0098 is an initial access broker that uses the IcedID banking Trojan to give ransomware groups access to infected systems on corporate networks.
After discovering a phishing attempt that injected the Conti-linked AnchorMail backdoor, the Threat Analysis Group (TAG), a dedicated team of security specialists that defends Google customers against state-sponsored attacks, began tracking this threat group in April.
Final Thoughts: Conti Ransomware Group
Conti ransomware is one of the most dangerous ransomware groups on the market. To protect yourself from such attacks, Threatcop is focused on keeping your people safe against changing cyber threats in today’s cybersecurity market, when firms are devoting all of their resources to defending their systems and IT infrastructure. Cybercriminals will go to any length to breach your firm by exploiting your employees. As the owner, you can guarantee that users, clients, and your organization are safe from Conti and other ransomware attacks by developing a strong defense and response strategy.
FAQs: Conti Ransomware Group
Generally, people have been following Conti for over a year as part of their work assisting companies in responding to ransomware threats. It looks to be one of several private cybercrime organizations that have established themselves by using the thriving ransomware-as-a-service (RaaS) ecosystem.
Upon declining to pay the ransom, Conti offered a free key to decrypt the data. The gang insisted on publishing stolen data on its leak site in order to carry out its “double extortion” threat.
Conti malware may acquire the ARP cache from the local system using the GetIpNetTable () API function and verify that the IP addresses it connects to are for non-internet systems. Conti ransomware has the ability to list ordinary network connections from an infected machine.
In 2020, a Russian gang is thought to have spread Conti ransomware. There is a vulnerability in all versions of Microsoft Windows. US authorities announced a $10 million reward for information about the gang early in May 2022.