Conti Ransomware: In-Depth Analysis, Detection, Mitigation
What Is Conti Ransomware?
Conti has proven to be an agile and adept malware threat, capable of both autonomous and guided operation and unparalleled encryption speed. As of June 2021, Conti’s unique feature set has helped its affiliates extort several million dollars from over 400 organizations.
Conti is developed and maintained by the TrickBot gang, and it is mainly operated through a RaaS affiliation model. The Conti ransomware is derived from the codebase of Ryuk and relies on the same TrickBot infrastructure.
History of Conti Ransomware
Conti Ransomware was first discovered in 2019 by researchers at the cybersecurity firm Check Point. Conti Ransomware is known for its high-level encryption and sophisticated tactics, including the use of double extortion, where the attackers not only encrypt the victim’s files but also steal and threaten to release sensitive data if the ransom is not paid. It is also known for its ability to move laterally through a network, spreading to other devices and systems.
What Does Conti Ransomware Target?
Conti ransomware typically targets businesses, government organizations and educational institutions. It has been known to target healthcare organizations, legal firms, financial services providers and other high-profile entities. They prefer to avoid targeting entities within the Commonwealth of Independent States (CIS).
How Does Conti Ransomware Work?
Initially, Ryuk and later Conti were delivered exclusively by TrickBot. However, by March 2021, as detections for TrickBot improved, BazarLoader (aka BazarBackdoor) began to be used as the tool of choice for the delivery of Conti. Exploitation of vulnerable applications and interfaces is frequent as well. This includes exploitation of Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
Conti Ransomware Attack Examples
Conti ransomware group has been known to target a variety of organizations across different sectors and countries. Some examples of known targets of the group include:
The Scottish Environment Protection Agency (SEPA), which suffered a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
Fat Face, a British clothing retailer, which was hit by a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
The Health Service Executive (HSE) in the Republic of Ireland, which was forced to shut down all of its IT systems after suffering a Conti ransomware attack in 2021. The attack caused a massive disruption in the country’s healthcare infrastructure, resulting in limited access to diagnostics and medical records.
Waikato District Health Board in New Zealand, which suffered a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
KP Snacks, a British snack food manufacturer, which was hit by a Conti ransomware attack in 2020, causing disruptions to its operations and resulting in financial losses.
Nordic Choice Hotels, a Norwegian hotel chain, which was targeted
Conti ransomware group is also responsible for the massive cyberattack that affected Costa Rica in April and May 2022. The attack caused significant disruptions to government agencies, with some digital public platforms, including the Ministry of Finance’s TIC@ and ATV (Virtual Tax Administration). The attack also caused trade to be paralyzed, citizens to be blocked from accessing public services online, private companies to be unable to report their earnings or charge the state for their professional services, and thousands of public employees to haven’t be paid in full or at all. The cybercriminals started by attacking eight Costa Rican institutions, taking down internal systems, and kidnapping their data in exchange for a ransom of $10 million. Conti has since been linked to hacks in at least 30 institutions and has called on the population to rise up against the government. The attack also targeted Costa Rica’s public health system, resulting in medical attention and surgery delays. In addition, the cyber attack is causing substantial economic losses to the country. The Costa Rican Chamber of Foreign Commerce estimates losses of over $125 million in the first two days alone, and the economy has lost an estimated $30 million during the attack.
Conti Ransomware Technical Details
Conti is an aggressive and prolific ransomware family with functional ties to Trickbot and Ryuk. The authors and affiliates of the ransomware boast that it has stronger encryption and is faster than its predecessors. It also has improved obfuscation and scope. Some variants can terminate certain processes in order to make encryption smoother. These processes are hard-coded for each ransomware instance, and can be tailored to the target environment. Conti employs up to 32 simultaneous CPU threads for file encryption operations. In September 2020, the developers shifted from AES to the CHACHA algorithm to quicken the encryption process. This means less time is needed to secure victims’ data, and less likelihood of the operation being blocked. Over time Conti ransomware evolved with improved speed, obfuscation, and encryption methodologies.
How to Detect Conti Ransomware
- The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Conti ransomware.
In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To try and detect Conti ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following:
Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
Education & Training
Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
Backup & Recovery Plan
Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate Conti Ransomware
- The SentinelOne Singularity XDR Platform can return systems to their original state using the Repair or Rollback features.
In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of ransomware attacks:
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
Implement strong passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
Enable multi-factor authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
Update and patch systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
Implement backup and disaster recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly to ensure that they are working and that they can be restored quickly and easily.