Conti (ransomware)

Last updated
Conti
Formation2020
TypeHacking

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. [1] [2] It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Contents

All versions of Microsoft Windows are known to be affected. [1] The United States government offered a reward of up to $10 million for information on the group in early May 2022.

Description

RaaS model

Conti's ransomware as a service (RaaS) model vary in its structure from a typical affiliate model. Conti developers probably pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack. [3]

Tactics and Techniques

Conti ransomware employs various stealthy techniques, including the use of BazarLoader, to infiltrate its target systems. The ransomware is designed to encrypt files and render them inaccessible until a ransom is paid. It is often delivered through phishing emails, exploit kits, or compromised websites. Conti has gained notoriety for targeting healthcare institutions, as seen in its attacks on organizations in Ireland and New Zealand. [4]

The Conti group has also been known to sell access to victim organizations that have refused to pay the ransom. This practice not only adds another layer of pressure on victims but also provides an additional source of revenue for the ransomware gang. These tactics, combined with the group's sophisticated techniques, have made Conti one of the most prolific and capable ransomware groups operating in 2021. [4]

The software uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware. [1] The method of delivery is not clear. [1]

The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020. [5] The same gang has operated the Ryuk ransomware. [5] The group is known as Wizard Spider and is based in Saint Petersburg, Russia. [6]

Once on a system it will try to delete Volume Shadow Copies. [1] It will try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them. [1] It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions. [1] It is also able to target specific drives as well as individual IP addresses. [1] [2]

According to NHS Digital the only guaranteed way to recover is to restore all affected files from their most recent backup. [1]

Membership and structure

The most senior member is known by the aliases Stern or Demon and acts as CEO. [7] Another member known as Mango acts as a general manager and frequently communicates with Stern. [7] Mango told Stern in one message that there were 62 people in the main team. [7] The numbers involved fluctuate, reaching as high as 100. [7] Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites. [7]

Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits. [7] In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up. [7]

In May 2022, the United States government offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with it. [8]

Affected Industries and Countries

Conti ransomware attacks have been detected across the globe, with the United States experiencing the highest number of attack attempts from January 1 to November 12, 2021, surpassing one million attempts. The Netherlands and Taiwan were ranked second and third, respectively. [4]

The retail industry has been the primary target of Conti attacks, followed by insurance, manufacturing, and telecommunications sectors. Healthcare, which was targeted in high-profile attacks by the Conti group, ranks sixth on the list of affected industries. [4]

History

Origin

Conti is often considered as the successor to Ryuk ransomware. [4]

Leaks

During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks were launched against the country. [9] [10] [7] As a result, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine [11] [12] [13] along with source code and other files used by the group. [14] [7] [15]

The leaks cover from the start of 2020 to 27 February 2022, and consists of more than 60,000 chat messages. [7] Most leaked messages were direct messages sent via Jabber. [7] Attacks were coordinated using Rocket.chat. [7] The leaks are fragmented. [7]

Some of the messages discuss the actions of Cozy Bear in hacking researchers into COVID-19. [16] Kimberly Goody, director of cybercrime analysis at Mandiant says that references to an unnamed external source in the logs that could be helpful to the gang. [16] She points to mention in the leaks of Liteyny Avenue in Saint Petersburg, home to local FSB offices, as evidence that the external source could be the Russian government. [16]

Views expressed in the leaks include support for Vladimir Putin, Vladimir Zhirinovsky and antisemitism, including towards Volodymyr Zelenskyy. [17] A member known as Patrick repeated several false claims made by Putin about Ukraine. [17] Patrick lives in Australia and may be a Russian citizen. [17]

Some messages show an obsession with Brian Krebs. [17]

The messages use mat heavily. [17] Messages containing homophobia, misogyny and references to child abuse were also found. [17]

Dissolution

In the weeks following the leak, the group dissolved. [18] A report from Recorded Future said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group. [18]

Known targets

See also

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya.

On October 27, 2021, a Russian hacker group known as Grief published 13 documents attributed to the National Rifle Association of America (NRA) in a ransomware scam, claimed to have hacked the organization, and threatened to release more NRA documents if the undisclosed ransom was not paid.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

<span class="mw-page-title-main">2022 Costa Rican ransomware attack</span> Attack on Costa Rican government systems

Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund, the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

References

  1. 1 2 3 4 5 6 7 8 9 "Conti Ransomware". NHS Digital . 9 July 2020. Retrieved 14 May 2021.
  2. 1 2 Cimpanu, Catalin (9 July 2020). "Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption". ZDNet . Retrieved 14 May 2021.
  3. "Conti Ransomware | CISA". www.cisa.gov. 9 March 2022. Retrieved 9 July 2023.
  4. 1 2 3 4 5 "Ransomware Spotlight: Conti - Security News". www.trendmicro.com. Retrieved 9 July 2023.
  5. 1 2 Cimpanu, Catalin (25 August 2020). "Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites". ZDNet . Retrieved 15 May 2021.
  6. 1 2 3 4 Corfield, Gareth (14 May 2021). "Hospitals cancel outpatient appointments as Irish health service struck by ransomware". The Register . Retrieved 15 May 2021.
  7. 1 2 3 4 5 6 7 8 9 10 11 12 13 Burgess, Matt (16 March 2022). "The Workaday Life of the World's Most Dangerous Ransomware Gang". Wired UK . Retrieved 21 March 2022.
  8. Beech, Eric (7 May 2022). "U.S. offers $15 million reward for information on Conti ransomware group". Reuters.
  9. Reichert, Corinne (25 February 2022). "Conti Ransomware Group Warns Retaliation if West Launches Cyberattack on Russia". CNET . Retrieved 2 March 2022.
  10. Bing, Christopher (25 February 2022). "Russia-based ransomware group Conti issues warning to Kremlin foes". Reuters . Retrieved 2 March 2022.
  11. Corfield, Gareth (28 February 2022). "60,000 Conti ransomware gang messages leaked". The Register . Retrieved 2 March 2022.
  12. Humphries, Matthew (28 February 2022). "Backing Russia Backfires as Conti Ransomware Gang Internal Chats Leak". PCMag . Retrieved 2 March 2022.
  13. Faife, Corin (28 February 2022). "A ransomware group paid the price for backing Russia". The Verge . Retrieved 2 March 2022.
  14. "The Conti ransomware leaks". Malwarebytes . 1 March 2022. Retrieved 2 March 2022.
  15. 'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang CNN. 2022.
  16. 1 2 3 Burgess, Matt (18 March 2022). "Leaked Ransomware Docs Show Conti Helping Putin From the Shadows". Wired UK . Retrieved 21 March 2022.
  17. 1 2 3 4 5 6 Lee, Micah (14 March 2022). "Leaked Chats Show Russian Ransomware Gang Discussing Putin's Invasion of Ukraine". The Intercept . Retrieved 21 March 2022.
  18. 1 2 Hardcastle, Jessica Lyons (24 February 2023). "Ukraine invasion blew up Russian cybercrime alliances". The Register . Retrieved 25 February 2023.
  19. "Waikato hospitals hit by cyber security incident". Radio New Zealand . 18 May 2021. Retrieved 18 May 2021.
  20. "Shutterfly services disrupted by Conti ransomware attack". Bleeping Computer . 27 December 2021. Retrieved 27 December 2021.
  21. "KP Snacks giant hit by Conti ransomware". Bleeping Computer . 22 January 2022. Retrieved 22 January 2022.
  22. Stupp, Catherine (12 January 2022). "Inside a Ransomware Hit at Nordic Choice Hotels". Wall Street Journal. ISSN   0099-9660 . Retrieved 15 July 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.