Conti Ransomware Continues to Cause Concern

Conti ransomware was the biggest ransomware strain in 2021, bringing in more than $180 million in ransom payments. Despite announcing they were shutting down operations as of May 2022, Conti isn’t going away any time soon and is continuing to cause damage to organizations of all sizes.

“So who is behind Conti ransomware?”

Conti is a Russia-backed ransomware group that has been around since 2018. Many researchers believe they were also responsible for the prolific Ryuk ransomware, due to similarities in Conti and Ryuk base code and ransom note templates. In the past four years, Conti has attacked organizations in a variety of industries, with more than 60% of victims located in North America. Some of Conti’s noteworthy victims include Jackson County, Georgia, the city of Riviera Beach, Florida, and Ireland’s National Healthcare System. Conti doesn’t just stop at ransomware - they are also known for using double extortion methods.

“Wait, what’s double extortion?”

It’s bad enough when you go to log into your computer and find that you can’t access your information, but Conti and other ransomware groups are now stealing your data as well. Many ransomware groups will exfiltrate data before encrypting your IT network, threatening to sell it on the dark web so they can continue to extort money from you even after the initial ransom is paid.

“What are they up to now?”

Conti recently drew a lot of attention for publicly supporting Russia in the ongoing war with Ukraine. Following their announcement they became victims themselves, as hundreds of their internal chat conversations and their ransomware source code was leaked. Then Conti attacked the new government of Costa Rica, causing the country to declare a state of emergency and drawing the public eye while Conti quietly shut down their infrastructure in the background. As of May 2022, Conti has officially shut down their operations - but that doesn’t mean they’re going away.

“If they shut down their operations, why are they still a threat?”

Conti follows a Ransomware-as-a-Service (RaaS) business model. Like DarkSide (responsible for attacking Colonial Pipeline, causing a fuel shortage in parts of the United States) and REvil/Sodinokibi (behind one of the largest ransom demands on record - $10 million), Conti is made up of a group of individuals who advertise their services on the dark web. These RaaS groups develop ransomware and then sell their services, offering anything from forums and 24/7 support to having user reviews like any other product or service. A highly skilled individual can develop a ransomware variant and then sell it, along with support, to anyone on the dark web, allowing unskilled hackers to conduct ransomware operations.

RaaS models also make it difficult to impose sanctions on these ransomware groups, since the individuals behind these groups can change and be difficult to identify. In further efforts to avoid sanctions and continue receiving ransom payments, many ransomware variants now only last a few months before shutting down and switching to something new. Conti affiliates, despite shutting down Conti’s infrastructure and operations, will simply switch to supporting other ransomware groups to continue their destructive and lucrative business.

“Ok, so how can I protect my organization from ransomware?”

The good news is you can protect against ransomware the same way you protect against any other malware. You may remember from another ACT post that ransomware typically gets on your network through phishing, exploitation of Remote Desktop Protocol (RDP), or exploitation of known software vulnerabilities. Ensuring you install updates as quickly as possible, disable RDP in favor of other remote access methods, and conduct user training for phishing are all ways you can protect your IT network.

In the event that you do experience a cyber attack involving ransomware, having frequent back ups and network segmentation in place can also help to limit risk. You may also be required to report these attacks to the government if you support Department of Defense contracts or Critical Infrastructure.

Unsure if your organization is prepared for keeping Conti out? Hive Systems recommends our Vulnerability Assessments, to help you identify where you may be at risk, and close the door on ransomware.

Follow us - stay ahead.

Read more of the ACT