What Is Conti Ransomware?

In the context of cybersecurity, Conti brings to mind nefarious hacker groups capable of crippling the most secure systems and networks. It also describes sophisticated ransomware developed and used by the aforementioned criminals to target organizations across the globe. While they were only active for a few short years, the Russian-backed Conti ransomware group used malicious tools of every type and aggressive extortion tactics to take hundreds of millions of dollars. While the group is now defunct, Conti and similar ransomware tools are alive and well.

When a cybercriminal deploys Conti on a victim's network, it spreads rapidly while encrypting and transferring data to a remote location. The goal is complete control of a victim's data, leading up to a ransom levied in the form of double extortion. Without a decryption key, victims can no longer access data. Meanwhile, since the attacker has also downloaded the data, they add to their extortion attempt by threatening to release confidential information. While both scenarios — loss of data access and leaked confidential information — can result in serious damage to an organization, paying a ransom demand often doesn't help the situation.

How It Works

The Conti group operated as a Ransomware-as-a-Service (RaaS) affiliate program. The group emerged in 2019, taking the place of another gang, and began offering the sophisticated Conti ransomware technology for sale or lease to affiliates who carry out attacks. An attack necessitates the deployment of Conti ransomware, although in most cases, a live actor works to crack systems using a variety of tools and techniques.

Because of this, organizations must prepare for any possibility, and a good starting point is the ATT&CK framework, developed by the nonprofit organization MITER. This framework is a comprehensive knowledge base of attacks and response strategies. It’s developed by observing real-world cyberattacks and provides detailed procedures to help organizations identify and defend against these threats.

Initial Access

A ransomware attack begins with actors attempting to gain access to a victim’s network. A typical approach involves phishing attacks through emails with a seemingly harmless Word document or zip file attached. However, these attachments are malware that deploys first-stage exploits, such as Cobalt Strike. Another approach involves searching for open RDP ports via network scans and using these ports to log in with stolen credentials. Once inside, attackers use a variety of tools (both malicious and open source) to navigate the network, locate data stores and compromise security. This is why careful provisioning and tight security are essential for organizations with remote worker access.

Other techniques leverage weaknesses in standard tools such as Active Directory, which stores password hashes on disk and in memory. These are easily lifted with tools such as mimikitz, providing attackers with administrative credentials and wide access to the network and its data. For any company using Windows Server, deploying internal protection for Active Directory is a wise decision.

Lateral Movement

Once attackers breach a network, they deploy the Conti ransomware, allowing it to spread across the network. As it spreads, Conti's advanced code uses a multithreading technique to rapidly encrypt data and employs multiple obfuscation techniques to evade various security layers. This strategy maximizes the damage Conti inflicts before end point solutions can detect and stop the attack.

Conti owes its speed and efficiency in propagating to its lateral movement on a network — specifically the Server Message Block protocol (SMB) protocol. All Microsoft Windows systems use SMB to communicate with devices, such as network printers. Rather than following conventional network devices, Conti spreads over the SMB protocol, making it exceptionally difficult to detect and contain. Configuring the Windows SMB client parameter helps mitigate this lateral approach. 

Exfiltration and Encryption

Once a network is fully breached, attackers use open-source tools, such as Rclone, to exfiltrate a victim’s data to a cloud storage provider. The goal is to prevent flagging by security systems that monitor for suspicious network activity. Meanwhile, attackers also attempt to delete or corrupt backups as part of their strategy. This makes it more difficult for victims to recover data without paying a ransom. Many teams overlook the strategy of keeping secure backups in an isolated location, but this oversight can turn costly if ransomware is involved.

Extortion (Ransomware)

Actors often spend days or weeks inside a network, encrypting and transferring data and trashing backups. By the time they demand a ransom, it's already too late: The victim's data is already encrypted, making it inaccessible without the decryption key. The actors demand millions of dollars in exchange for this key, and since the loss of so much data is devastating for any organization, these demands are often met.

A Conti attack also involves the threat of leaked data. Actors levy an additional layer of extortion by threatening to leak sensitive information unless the victims pay their ransom demands. The threat of exposing confidential business or customer data compels many businesses to pay the ransom fee.

The History and Future of Conti Attacks

The Conti ransomware gang established itself as one of the most feared and notorious cybercrime outfits in history. Over a few short years, the group coordinated numerous high-profile attacks, including cyber assaults on corporations, healthcare facilities, municipalities and even national governments.

Formation, Membership and Structure

Appearing around 2019 or 2020, the Conti group formed to replace Ryuk, another ransomware and hacker gang. Like its predecessor, most security analysts believe Conti was led by hackers with Russian ties. Operating as a Ransomware-as-a-Service organization, the group leased its technology and infrastructure to other groups and hackers who would use them to launch attacks. The Conti group received commissions for successful attacks.

Part of Conti's infrastructure was a website used to leak confidential data exfiltrated during successful attacks. The site was launched in August 2020, and by the end of the same year, it had leaked data from more than 150 organizations. While providing malware and infrastructure to other hackers in exchange for profits isn't unusual in cybercrime, the Conti group's approach was unique.

The Conti group took a more active role in attacks, even going so far as to hire hackers as employees. It utilized business practices common to technology companies, engaging in recruiting efforts with promises of benefits and high salaries. At one point, there was an active human resources department. It should come as no surprise that the Conti group was and is still considered a criminal syndicate.

Notable Attacks

In March 2021, Conti infiltrated Ireland’s Health Service Executive, gaining access to the entire network, including 70,000 devices. By May 14, 2021, Conti had encrypted terabytes of data, disabling the hospital’s infrastructure. Conti said it had exfiltrated more than 700GB of data, including personal information on patients, employees and contractors. The group demanded $20 million to undo their actions.

Micheal Martin, Ireland’s Prime Minister at the time, announced on television that the government wouldn’t pay the ransom. On May 20, the FBI issued a statement outlining similar attacks by Conti on healthcare and first responder networks across the U.S. and the world, asking for any information regarding the group’s operations.

On September 29, 2021, JVCKenwood disclosed that some of its servers in Europe had been breached and that customer data might have been compromised. The following day, the news site Bleeping Computer received a copy of the ransom note that was sent to JVCKenwood, identifying Conti as the attackers and ransomers. The group said in the note that it had stolen nearly 2TB of data, for which it demanded $7 million.

In May 2021, a similar attack happened in Tulsa, Oklahoma, when ransomware shut down the city’s network, leading to disruptions of its online systems. The Conti group claimed responsibility, publishing nearly 19,000 files — mostly police citations and internal Word documents. In response, the city issued a warning that personal information was exposed in the leaked files.

Conti’s most notorious attack took place from mid-April to late May 2022. After enduring weeks of attacks in Costa Rica, the government declared a national emergency, the first country to do so in response to a cyber assault. The ransomware gang assaulted the networks and systems of dozens of government bodies, including the Ministry of Finance and the Ministry of Labor and Social Security. The devastating attacks cost the government millions of dollars and demonstrated that a hacker group can undo an entire country.

Rebrand

Many cybersecurity firms believe the Conti gang’s attack on Costa Rica was an elaborate ruse to draw attention from its rebranding efforts. Just before the attack began, the group had already started the process of dismantling the Conti brand. In May 2022, cybersecurity firm AdvIntel declared the criminal hacker group officially dead.

While no one knows for sure, many experts believe the group disbanded over internal divisions following Russia’s invasion of Ukraine on February 24, 2022. The day after the invasion started, Conti announced its support for Russia. Two days later, on February 27, a new Twitter account leaked more than 170,000 of the group’s internal chat logs, as well as the source code for Conti ransomware.

The leak provided a treasure trove of information for security analysts, including exact tools and methods used by hackers to infiltrate organizations around the world. It also demonstrated how well organized the group was, operating like a high-tech startup with established positions and hierarchies, including coders, system admins, recruiters and executives.

On June 24, a month after the attack on Costa Rica ended, the last of the Conti group websites went dark, marking the end of one of the most notorious cybercrime syndicates in history. But the faceless hackers who made Conti what it was didn't go to jail or disappear. While their final attack was underway, they quietly dispersed, moving on to new groups and gangs.

How to Detect a Conti Attack

A Conti attack is, by definition, multifaceted. It involves multiple attack vectors that usually take place over several days. Because attackers use common, readily available tools throughout the attack, detection is challenging. However, there are signs for those who know what to look for. One method is diligent network monitoring. Real-time monitoring tools can alert administrators when an event reaches a certain threshold — failed login attempts or the scanning of multiple ports, for example.

Another indicator is an uptick in phishing emails. Ransomware attackers use phishing to steal credentials, compromise systems on the network and gain access. Companies can improve the odds of spotting an attack in its earliest stages by ensuring that employees properly identify and flag suspicious emails, thus alerting security teams.

How to Mitigate a Conti Attack

Implementing multifactor authentication for all users is one of the most effective measures for protecting your organization from ransomware attacks such as Conti. Multifactor authentication requires users to have two or more forms of identification to access secure accounts, making it exceedingly difficult for hackers to gain access through compromised passwords.

Implementing and maintaining robust network segmentation is another step in protecting your organization against ransomware threats. Network segmentation helps reduce the spread of malware by isolating networks and functions from one another, preventing the lateral movement of ransomware such as Conti. 

Some other security strategies include:

• Utilizing security software: Use endpoint and detection response tools to increase visibility into endpoint security and protect against malicious cyber actors. Set up antivirus and anti-malware programs to perform regular scans of network assets with up-to-date signatures.
• Limiting network access: Restrict remote desktop protocol (RDP) if it’s not used. If RDP is deemed necessary, restrict originating sources and require multifactor authentication after assessing risks.
• Leveraging application policies: Ensure all network-connected software, including operating systems and applications, are upgraded promptly. Consider using a centralized patch management system to define policies.
• Managing application security: Remove any unnecessary applications from day-to-day operations, since Conti threat actors leverage many default tools during attacks. To see what readily available software cyber criminals are using, monitor CISA’s list of tools.

Ensuring your organization has secure backups as ransomware defense is the most effective way to negate the impacts of data extortion. By developing a secure, robust backup strategy, organizations protect against data loss from encryption and exfiltration.

What to Do in Case of Infection

Cybersecurity is a constant battle. Organizations with hypervigilant security can still succumb to a newly discovered exploit. Knowing how to handle a ransomware attack can prevent worse outcomes in these situations. The worst possible outcome would be paying a ransom demand.

Organizations shouldn't pay ransoms in ransomware attacks. Independent security firms, as well as the CISA, FBI and NSA, unanimously discourage it. Doing so encourages further attacks from the original actors and new groups. If the individuals decide not to provide the decryption key once a ransom is paid, the organization is worse off than it started.

Instead, follow the steps below, as recommended by the organization mentioned above:

1. Follow the Ransomware Response Checklist in the Joint Ransomware Guide.
2. If possible, scan data backups with an antivirus program to ensure it’s uninfected.
3. Immediately report the incident to CISA, a local FBI Field Office, or a U.S. Secret Service Field Office.

In the event of an attack, organizations need to act quickly to contain the damage and prevent further spread. Before recovery begins, it’s essential to identify the type of ransomware involved and determine the extent of the damage. Efforts should focus on restoring the most critical systems and data first, with a prioritized approach to minimize downtime and limit the impact of the attack.

Recovering from a ransomware attack is daunting. Restoring systems, services and data are time-consuming and expensive, never mind the disruption caused to business operations. Communicating with stakeholders and customers is equally vital — rebuilding relationships is just as important. The bottom line is that a comprehensive backup and recovery strategy, in addition to conducting regular testing, minimizes the risks of a worst-case scenario for any ransomware attack.

How Veeam Can Help

The most effective ransomware protection from Conti attacks and those like them is a strong data backup and recovery strategy. With Veeam’s prevent, detect and restore approach, organizations can mitigate the impacts of ransomware by preventing data loss from encryption or corruption. No organization is immune from a ransomware attack, but Veeam can help protect data from irreparable losses and prevent involvement with turbulent cybercriminal groups.