Conti (ransomware)

Conti
FormationDecember, 2019
TypeMalware, Ransomware as a Service (RaaS)

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019.[1][2] It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

The Conti malware, once deployed on a victim device, not only encrypts data on the device, but also spreads to other devices on the network, obfuscates its presence, and provides a remote attacker control over its actions on the objective.[1] All versions of Microsoft Windows are known to be affected.[3] The United States government offered a reward of up to $10 million for information on the group in early May 2022.[4]

Description

RaaS model

According to a leaked playbook, core team-members of a Conti operation manage the malware itself, while recruited affiliates are tasked with exploitation of victim networks and encryption of their devices.[5][6]

Conti's ransomware as a service model varies in its structure from a typical affiliate model. Unlike other RaaS models, groups using the Conti model likely pay deployers of the malware in wages rather than in a percentage of the ransom (once paid).[7] Conti operators have also been known to use double-extortion as a means to pressure victims into paying, including publishing the victim's stolen data. In cases where a victim organization refuses to pay, they've sold access to the organization to other threat actors.[8]

Tactics and Techniques

Conti ransomware employs various stealth techniques, including the use of BazarLoader, to infiltrate its target systems. The ransomware is designed to encrypt files and render them inaccessible until a ransom is paid. It is often delivered through phishing emails, exploit kits, or compromised websites.[1] Conti has gained notoriety for targeting healthcare institutions, as seen in its attacks on organizations in Ireland and New Zealand.[9]

The Conti group has also been known to sell access to victim organizations that have refused to pay the ransom. This practice not only adds another layer of pressure on victims but also provides an additional source of revenue for the ransomware gang. These tactics, combined with the group's sophisticated techniques, have made Conti one of the most prolific and capable ransomware groups operating in 2021.[9]

The software uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware.[3] The method of delivery is not clear.[3]

The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020.[10] The same gang has operated the Ryuk ransomware.[10] The group is known as Wizard Spider and is based in Saint Petersburg, Russia.[11]

Once on a system it will try to delete Volume Shadow Copies.[3] It will try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them.[3] It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions.[3] It is also able to target specific drives as well as individual IP addresses.[3][12]

According to NHS Digital the only guaranteed way to recover is to restore all affected files from their most recent backup.[3]

Membership and structure

The most senior member is known by the aliases Stern or Demon and acts as CEO.[13] Another member known as Mango acts as a general manager and frequently communicates with Stern.[13] Mango told Stern in one message that there were 62 people in the main team.[13] The numbers involved fluctuate, reaching as high as 100.[13] Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites.[13]

Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits.[13] In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.[13]

In May 2022, the United States government offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with it.[14]

Affected Industries and Countries

Conti ransomware attacks have been detected across the globe, with the United States experiencing the highest number of attack attempts from January 1 to November 12, 2021, surpassing one million attempts. The Netherlands and Taiwan were ranked second and third, respectively.[9]

The retail industry has been the primary target of Conti attacks, followed by insurance, manufacturing, and telecommunications sectors. Healthcare, which was targeted in high-profile attacks by the Conti group, ranks sixth on the list of affected industries.[9]

History

Origin

Conti is often considered as the successor to Ryuk ransomware.[9]

Leaks

During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks were launched against the country.[15][16][13] As a result, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine[17][18][19] along with source code and other files used by the group.[20][13][21]

The leaks cover from the start of 2020 to 27 February 2022, and consists of more than 60,000 chat messages.[13] Most leaked messages were direct messages sent via Jabber.[13] Attacks were coordinated using Rocket.chat.[13] The leaks are fragmented.[13]

Some of the messages discuss the actions of Cozy Bear in hacking researchers into COVID-19.[22] Kimberly Goody, director of cybercrime analysis at Mandiant says that references to an unnamed external source in the logs that could be helpful to the gang.[22] She points to mention in the leaks of Liteyny Avenue in Saint Petersburg, home to local FSB offices, as evidence that the external source could be the Russian government.[22]

Views expressed in the leaks include support for Vladimir Putin, Vladimir Zhirinovsky and antisemitism, including towards Volodymyr Zelenskyy.[23] A member known as Patrick repeated several false claims made by Putin about Ukraine.[23] Patrick lives in Australia and may be a Russian citizen.[23]

Some messages show an obsession with Brian Krebs.[23]

The messages use mat heavily.[23] Messages containing homophobia, misogyny and references to child abuse were also found.[23]

Dissolution

In the weeks following the leak, the group dissolved.[24] A report from Recorded Future said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group.[24]

Known targets

See also

References

  1. ^ a b c "Conti, Software S0575 | MITRE ATT&CK®". attack.mitre.org. Retrieved 31 May 2024.
  2. ^ Team, The CrowdStrike Intel (16 October 2020). "Wizard Spider Modifies and Expands Toolset [Adversary Update]". crowdstrike.com. Retrieved 31 May 2024.
  3. ^ a b c d e f g h "Conti Ransomware". NHS Digital. 9 July 2020. Retrieved 14 May 2021.
  4. ^ "Conti Ransomware | CISA". www.cisa.gov. 9 March 2022. Retrieved 31 May 2024.
  5. ^ "Angry Conti ransomware affiliate leaks gang's attack playbook". BleepingComputer. Retrieved 31 May 2024.
  6. ^ "Translated: Talos' insights from the recently leaked Conti ransomware playbook". Cisco Talos Blog. 2 September 2021. Retrieved 31 May 2024.
  7. ^ "Conti Ransomware | CISA". www.cisa.gov. 9 March 2022. Retrieved 9 July 2023.
  8. ^ "Ransomware Spotlight: Conti - Security News". www.trendmicro.com. Retrieved 31 May 2024.
  9. ^ a b c d e "Ransomware Spotlight: Conti - Security News". www.trendmicro.com. Retrieved 9 July 2023.
  10. ^ a b Cimpanu, Catalin (25 August 2020). "Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites". ZDNet. Retrieved 15 May 2021.
  11. ^ a b c d Corfield, Gareth (14 May 2021). "Hospitals cancel outpatient appointments as Irish health service struck by ransomware". The Register. Retrieved 15 May 2021.
  12. ^ Cimpanu, Catalin (9 July 2020). "Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption". ZDNet. Retrieved 14 May 2021.
  13. ^ a b c d e f g h i j k l m Burgess, Matt (16 March 2022). "The Workaday Life of the World's Most Dangerous Ransomware Gang". Wired UK. Retrieved 21 March 2022.
  14. ^ Beech, Eric (7 May 2022). "U.S. offers $15 million reward for information on Conti ransomware group". Reuters.
  15. ^ Reichert, Corinne (25 February 2022). "Conti Ransomware Group Warns Retaliation if West Launches Cyberattack on Russia". CNET. Retrieved 2 March 2022.
  16. ^ Bing, Christopher (25 February 2022). "Russia-based ransomware group Conti issues warning to Kremlin foes". Reuters. Retrieved 2 March 2022.
  17. ^ Corfield, Gareth (28 February 2022). "60,000 Conti ransomware gang messages leaked". The Register. Retrieved 2 March 2022.
  18. ^ Humphries, Matthew (28 February 2022). "Backing Russia Backfires as Conti Ransomware Gang Internal Chats Leak". PCMag. Retrieved 2 March 2022.
  19. ^ Faife, Corin (28 February 2022). "A ransomware group paid the price for backing Russia". The Verge. Retrieved 2 March 2022.
  20. ^ "The Conti ransomware leaks". Malwarebytes. 1 March 2022. Retrieved 2 March 2022.
  21. ^ 'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang CNN. 2022.
  22. ^ a b c Burgess, Matt (18 March 2022). "Leaked Ransomware Docs Show Conti Helping Putin From the Shadows". Wired UK. Retrieved 21 March 2022.
  23. ^ a b c d e f Lee, Micah (14 March 2022). "Leaked Chats Show Russian Ransomware Gang Discussing Putin's Invasion of Ukraine". The Intercept. Retrieved 21 March 2022.
  24. ^ a b Hardcastle, Jessica Lyons (24 February 2023). "Ukraine invasion blew up Russian cybercrime alliances". The Register. Retrieved 25 February 2023.
  25. ^ "Waikato hospitals hit by cyber security incident". Radio New Zealand. 18 May 2021. Retrieved 18 May 2021.
  26. ^ "Shutterfly services disrupted by Conti ransomware attack". Bleeping Computer. 27 December 2021. Retrieved 27 December 2021.
  27. ^ "KP Snacks giant hit by Conti ransomware". Bleeping Computer. 22 January 2022. Retrieved 22 January 2022.
  28. ^ Stupp, Catherine (12 January 2022). "Inside a Ransomware Hit at Nordic Choice Hotels". Wall Street Journal. ISSN 0099-9660. Retrieved 15 July 2022.