What is CONTI Ransomware and what do you need to know about it
Author: Samridh Ashish
Executive Summary
Conti is one of the most relentless ransomware amongst any existing ransomware families. As of 28th Feb 2022, the US and International organisations have seen more than 1,000 attacks since its launch. In typical Conti ransomware attacks, threat actors steal files, encrypt servers and workstations with AES256 encryption, and demand a ransom payment in cryptocurrency.
Rise of CONTI ransomware
Conti is believed to be one of the most dangerous active ransomware families. Threat actors use Conti to steal sensitive files and information from compromised networks and threaten to publish this data unless the ransom is paid. Having links with Wizard Spider, Conti is considered the successor of the notorious Ryuk ransomware. It has operators spread across Russia, Ukraine and Belarus.
Conti works on RaaS (Ransomware-as-a-Service) model, and its first infection was discovered in December 2019. It has been connected to several ransomware incidents — racking in payments total more than 100 Bitcoin (approx. USD 50 million).
Major incidents related to CONTI
In May 2021, Ireland’s Health Service was forced to terminate its IT systems after a ransomware attack.
In May 2021, The City of Tulsa, Oklahoma, suffered a ransomware attack that forced the City to shut down its systems to stop the spread of the malware.
In September 2021, JVCKenwood suffered a ransomware attack, and supposedly 1.7 TB of data was stolen.
In February 2022, the ransomware group announced its full support to the Russian government and their determination to retaliate against the cyberattacks launched against the Russian citizens and infrastructure.
Some common tools used by threat actors deliver Conti:
1. TrickBot
3. Buer
4. IceID
Analysis
Conti uses many independent threads to perform encryption, making it the fastest encrypting malware in the ransomware family (up to 32 simultaneous encryption efforts). This ransomware accelerates data encryption and can linger in your systems for weeks without notice. Conti uses Windows Restart Manager to disable security, backup, database, and email solution services to prep for encryption. This ransomware family can encrypt hard drives, network shares, and even specific IP addresses.
Tactics, techniques and procedures based on MITRE ATT&CK® and Cyber Kill Chain® framework:
MITIGATIONS
1. Use multi-factor authentication
2. Implement network segmentation and traffic filter
3. Regularly scan for vulnerabilities
4. Keep software and firmware updated
5. Remove unnecessary applications
6. Implement EDR tools
7. Regularly audit logs and administrative user accounts
CONCLUSION
Conti exhibits rapid development in the current ransomware category. It has a new way of launching ransomware attacks by utilising advanced encryption and targeting high-value systems in the victim network. Despite the recent data leaks, the ransomware gang shows no sign of slowing down. To stop them in their tracks, they must be made unprofitable.
REFERENCES
https://www.logpoint.com/en/blog/detecting-Conti-ransomware-the-successor-of-infamous-ryuk/
https://malpedia.caad.fkie.fraunhofer.de/
https://attack.mitre.org/software/S0575/
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
https://www.cobaltstrike.com/features/
https://blogs.vmware.com/security/2020/07/tau-threat-discovery-Conti-ransomware.html
