Conti Ransomware: In-Depth Analysis, Detection, Mitigation
What Is Conti Ransomware?
Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and unparalleled encryption speed. As of June 2021, Conti’s unique feature set has helped its affiliates extort several million dollars from over 400 organizations.
Conti is developed and maintained by the TrickBot gang, and it is mainly operated through a RaaS affiliation model. The Conti ransomware is derived from the codebase of Ryuk and relies on the same TrickBot infrastructure.
History of Conti Ransomware
Conti Ransomware was first discovered in 2019 by researchers at the cybersecurity firm Check Point. Conti Ransomware is known for its high-level encryption and sophisticated tactics, including the use of double extortion, where the attackers not only encrypt the victim’s files but also steal and threaten to release sensitive data if the ransom is not paid. It is also known for its ability to move laterally through a network, spreading to other devices and systems.
What Does Conti Ransomware Target?
Conti ransomware typically targets businesses, government organizations and educational institutions. It has been known to target healthcare organizations, legal firms, financial services providers and other high-profile entities. They prefer to avoid targeting entities within the Commonwealth of Independent States (CIS).
How Does Conti Ransomware Work?
Initially, Ryuk and later Conti were delivered exclusively by TrickBot. However, by March 2021, as detections for TrickBot improved, BazarLoader (aka BazarBackdoor) began to be used as the tool of choice for the delivery of Conti. Exploitation of vulnerable applications and interfaces is frequent as well. This includes exploitation of Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
Conti Ransomware Attack Examples
Conti ransomware group has been known to target a variety of organizations across different sectors and countries. Some examples of known targets of the group include:
The Scottish Environment Protection Agency (SEPA), which suffered a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
Fat Face, a British clothing retailer, which was hit by a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
The Health Service Executive (HSE) in the Republic of Ireland, which was forced to shut down all of its IT systems after suffering a Conti ransomware attack in 2021. The attack caused a massive disruption in the country’s healthcare infrastructure, resulting in limited access to diagnostics and medical records.
Waikato District Health Board in New Zealand, which suffered a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
KP Snacks, a British snack food manufacturer, which was hit by a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
Nordic Choice Hotels, a Norwegian hotel chain, which was targeted
Conti ransomware group is also responsible for the massive cyberattack that affected Costa Rica in April and May 2022. The attack caused significant disruptions to government agencies, with some digital public platforms, including the Ministry of Finance’s TIC@ and ATV (Virtual Tax Administration). The attack also caused trade to be paralyzed, citizens to be blocked from accessing public services online, private companies to be unable to report their earnings or charge the state for their professional services, and thousands of public employees to haven’t be paid in full or at all.
The cybercriminals started by attacking eight Costa Rican institutions, taking down internal systems, and kidnapping their data in exchange for a ransom of $10 million. Conti has since been linked to hacks in at least 30 institutions and has called on the population to rise up against the government. The attack also targeted Costa Rica’s public health system, resulting in medical attention and surgery delays. In addition, the cyber attack is causing substantial economic losses to the country. The Costa Rican Chamber of Foreign Commerce estimates losses of over $125 million in the first two days alone, and the economy has lost an estimated $30 million during the attack.
Conti Ransomware Technical Details
Conti is an aggressive and prolific ransomware family with functional ties to Trickbot and Ryuk. The authors and affiliates of the ransomware boast that it has stronger encryption and is faster than its predecessors. It also has improved obfuscation and scope. Some variants can terminate certain processes in order to make encryption smoother. These processes are hard-coded for each ransomware instance, and can be tailored to the target environment.
Conti employs up to 32 simultaneous CPU threads for file encryption operations. In September 2020, the developers shifted from AES to the CHACHA algorithm to quicken the encryption process. This means less time is needed to secure victims’ data, and less likelihood of the operation being blocked. Over time Conti ransomware evolved with improved speed, obfuscation, and encryption methodologies.
Full Report: https://www.sentinelone.com/labs/conti-unpacked-understanding-ransomware-development-as-a-response-to-detection/
How to Detect Conti Ransomware
- The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Conti ransomware.
In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To try and detect Conti ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following:
Security Tools
Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
Network Traffic
Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
Security Audits
Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
Education & Training
Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
Backup & Recovery Plan
Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate Conti Ransomware
- The SentinelOne Singularity XDR Platform can return systems to their original state using the Repair or Rollback features.
In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of ransomware attacks:
Educate employees
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
Implement strong passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
Enable multi-factor authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
Update and patch systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
Implement backup and disaster recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly to ensure that they are working and that they can be restored quickly and easily.
Conti Ransomware FAQs
What is Conti Ransomware?
Conti Ransomware is a dangerous type of malware that locks your files until you pay a ransom. It sneaks into computers and scrambles important data, leaving you without access. Both businesses and individuals can be affected by this attack. The malware holds your data hostage, causing big problems if you aren’t careful with suspicious emails or downloads. You can reduce the risk by keeping your software updated and watching out for warning signs.
What are the primary targets of Conti Ransomware attacks?
Conti Ransomware mostly attacks big companies and essential services, but it can hit small businesses too. It goes after targets with valuable data and weaker security measures. Hospitals, schools, and even government agencies have been affected. These hackers search for any system vulnerability to lock up files and demand ransom. You can tell that careful security updates and regular checks are important for every organization.
What methods does Conti Ransomware use to spread within a network?
Conti Ransomware spreads through various tactics that trick users into giving access to their systems. It often arrives via phishing emails with fake attachments or links. Once inside, it moves across the network, searching for valuable files to encrypt. The malware exploits weak passwords and outdated software to travel further. You can see that one slip-up in security can lead to a bigger problem across the entire network.
What indicators of compromise (IOCs) are associated with Conti Ransomware?
Indicators of compromise for Conti Ransomware include unusual file changes, unexpected system slowdowns, and unknown programs running in the background. Network traffic might show strange patterns, and you could see odd error messages or alerts from your security tools. Some logs may reveal unauthorized access attempts or unexpected connections to suspicious servers. You can use these clues to spot an infection early and act before more damage occurs.
How can organizations detect and respond to a Conti Ransomware infection?
Organizations can catch a Conti Ransomware infection by monitoring system performance and unusual file activity. They should review logs for odd access attempts and set up network alerts. If an infection is found, disconnect affected devices immediately. Then run a full security scan and call IT experts. You can share findings with your team to ensure everyone stays alert and ready to act quickly against the threat.
What preventive measures can organizations implement to protect against Conti Ransomware?
Organizations should focus on strong security habits to keep Conti Ransomware at bay. This means using updated antivirus software, applying regular patches, and enforcing strong password policies. It is also smart to back up important data frequently. Training employees to recognize suspicious emails and links is vital. You can also limit access to sensitive systems and monitor network traffic for odd behavior to catch any threats early.
What steps should an organization take immediately after a Conti Ransomware attack?
After a Conti Ransomware attack, the first move is to isolate the infected systems from the network to prevent further spread. Organizations should then alert their IT team and report the incident to authorities. A backup and recovery plan must be put into action, and all systems should be scanned for traces of the malware. You can also review security policies to patch any gaps and help avoid future attacks.