The U.S. government has been tracking an increase in the pace of attacks tied to Conti ransomware, and is urging organizations to ensure they have robust defenses in place.
A joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency warns that Conti has so far successfully hit more than 400 organizations based in the U.S. and abroad.
“In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment,” the advisory states.
To better secure against Conti attacks, the alert recommends a range of defenses, including “implementing the mitigation measures described in this advisory, which include requiring multi-factor authentication, implementing network segmentation and keeping operating systems and software up to date.”
The alert follows security experts in recent weeks warning that they’d seen an increase in attacks tracing to Conti, including the group targeting Veeam Backup & Replication software, to make it more difficult for victims to recover (see: Conti Ransomware Threat Rising as Group Gains Affiliates).
Conti is one of a number of Russian-speaking ransomware operations, believed to be operating from countries that were formerly part of the Soviet Union, that have continued to hit a number of targets in the U.S. and Europe, causing devastation.
Ransomware incident response firm Coveware reports that based on thousands of incidents it helped investigate from April to June, Conti was the second-most-prevalent ransomware it encountered, following Sodinokibi, aka REvil. Coveware said that while Sodinokibi accounted for 16.5% of all incidents with which it assisted, Conti accounted for 14.4%.
Attack Disrupts Healthcare in Ireland
Experts warn that no organizations are immune from being targeted. Notably, while many gangs claim to not hit organizations in the healthcare sector, or in any of the other so-called critical infrastructure sectors, in reality many attackers’ target selection does not appear to be finely calibrated. What many operators have done, in practice, is offer a “free” decryptor to some victims. But undoing the damage from such an attack is often still costly and time-consuming.
In May, for example, Conti hit Ireland’s national health service, crypto-locking systems used by its Health Service Executive and disrupting patient care across the country for months.
Attackers claimed to have stolen 700GB of patient data, including personal documents, phone numbers, contacts, and payroll and bank statements, and demanded a $20 million ransom in exchange for a decryptor and promise from the gang to not leak the stolen information.
Following a public outcry over a nation’s health service having been hit by ransomware-wielding attackers, Conti subsequently delivered a free decryptor to the Irish government. But the damage done by the group remained extensive. Notably, the government brought in the Army to help wipe and restore thousands of systems affected by the crypto-locking malware, and residents faced months of delays in procuring some types of care, retrieving lab results, and more. The government has estimated that the cost of the attack and cleanup efforts could reach $600 million.
In response, Ireland’s cybercrime police, the Garda National Cyber Crime Bureau, announced that it had conducted a “significant disruption operation” targeting what appeared to be Conti’s infrastructure.
But the new Conti alert from U.S. authorities suggests the attempted disruption has had minimal impact.
Like other ransomware-as-a-service operations, Conti relies on affiliates to infect victims. With some major ransomware operations having disappeared, rebranded or been on hiatus in recent months, experts say Conti appears to have been recruiting many of their affiliates, helping it to launch more attacks.
Traditionally, for every victim that an affiliate infects, who pays a ransom, the operator and affiliate share the profits. But at least some of Conti’s affiliates seem to work under a different arrangement. “While Conti is considered a ransomware-as-a-service model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model,” according to the U.S. government advisory. “It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.”
As with any business, however, internal disagreements sometimes become public. Recently, a disgruntled Conti affiliate leaked manuals and technical guides used to train affiliates, arguing that he’d been getting underpaid.
Initial Access Vectors
Different affiliates bring varying levels of skill to bear when attacking targets. For example, the advisory notes that Conti-wielding attackers have gained initial access to victims’ systems in a variety of ways, including:
- Sending phishing emails with malicious attachments or links;
- Sending emails with Microsoft Word documents that run malicious macros attachments to download malware such as TrickBot and IcedID, or penetration testing tools such as Cobalt Strike, to help attackers navigate through the victim’s network;
- Using stolen or brute-forced remote desktop protocol credentials;
- Using phone calls to socially engineer employees to install malicious software;
- Distributing Trojanized or fake software promoted via search engine optimization;
- Using malware distribution networks such as ZLoader;
- Targeting known vulnerabilities, such as 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, the PrintNightmare vulnerability – CVE-2021-34527 – in the Windows print spooler service, and the Zerologon vulnerability – CVE-2020-1472 – in Microsoft Active Directory domain controller systems.
The goal of such efforts for attackers is to gain access to an organization’s network, move laterally, escalate their privileges and find a way to deploy ransomware onto as many endpoints as possible, oftentimes by first gaining admin-level access to Active Directory.
Conti Claims: ‘Our Reputation is Everything’
Conti is one of a number of ransomware-as-a-service operations that practice double extortion, which refers to attackers attempting to extort a victim into paying for a decryptor while promising to delete stolen data.
Authorities and security experts continue to urge victims to never pay a ransom. “CISA, FBI, and NSA strongly discourage paying a ransom to criminal actors,” the new Conti advisory states. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
To try and force victims to pay, Conti operates a dedicated data leak site where it can first post a victim’s name and then begin leaking data, to increase the pressure to pay for a decryptor or for stolen data to be deleted.
Ransomware attackers are big on promises, or anything else that smooths the way to a payday. As noted by the MalwareHunterTeam research group, a recent communication from Conti assures victims that if they pay, “there is no way we will dump you.”
Conti ransomware gang to some of their victims recently:
“NO THERE IS NO WAY WE WILL DUMP YOU AFTER YOU PAY. The chances that Hell will freeze are higher then us dumping our customers. We are the most elite group out there, and our reputation is everything for us.”
@VK_Intel— MalwareHunterTeam (@malwrhunterteam) September 4, 2021
Criminals Regularly Lie
Warning that such promises cannot necessarily be trusted, many experts recommend victims work with their cyber insurer, if they have one, or else a reputable incident response firm, to help navigate any situation in which they might be weighing whether or not to pay. In some cases, for example, an attacker’s claim to have stolen sensitive data – or any data at all – is a lie.
As shown by a ransom negotiations between Conti and one of its small business customers, again published by MalwareHunterTeam, Conti told a victim it had stolen data, but it was a lie designed to pressure the victim into paying.
Another factor when evaluating whether or not to pay: Some decryptors work better than others, and some types of ransomware have a reputation for shredding some files when attempting to encrypt them, thus making the forcibly encrypted files impossible to recover (see: Alert for Ransomware Attack Victims: Here’s How to Respond).