SECURITY ALERT: Conti Ransomware Restrains Compromised Customers with Legitimate RC Software
In the wake of the recent significant increase in ransomware incidents related to Conti ransomware, our cybersecurity specialists warn that Conti operators remain extremely active and represent a constant and persistent threat to organizations and public institutions alike.
Conti Is Growing Strong
Conti ransomware stands out as one of the most ruthless ransomware gangs of today’s cybersecurity landscape. The group was first noticed in May 2020, and since then has undergone rapid development and is known for the speed at which it encrypts and deploys across a target system.
Conti has spent over a year attacking law enforcement agencies, schools, and organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, and emergency medical services. The group sabotaged the Health Service Executive (HSE) in Ireland and subsequently released the key for decryption, but at the same time extorted with leakage of potentially extremely sensitive data.
According to our intel, the ransomware group infects machines via BazarLoader, Bazarcall, and TrickBOT and then drops a cocktail of other malware into the compromised network in order to make a lateral movement.
As a human-operated “double extortion” ransomware specialized in stealing and threatening tactics, an important detail related to Conti is the fact that the group uses multiple forms of legitimate Remote Control software solutions (AnyDesk, Atera, Splashtop, Remote Utilities, RDP, and ScreenConnect) to maintain its presence in the network.
Since DarkSide ransomware attacked Colonial Pipeline three months ago, Conti has been somewhat on hold. Unfortunately, about 3 weeks ago the ransomware operators have started to increase their activity in several areas. Their latency period from infiltration to payload rollout is between 2 – 3 weeks on average. For that reason, more incidents are expected.
Conti’s source code is very similar to Ryuk 2.0’s and it’s currently being reused across the developments. The template used in connection with the extortion is also identical to previous Ryuk incidents. A collaboration between the different groups could also be possible.
The extortion sum related to Conti is typically somewhere between 300,000 – 600,000 USD, but it has also been observed to be significantly higher.
Apart from the ransomware attack, Conti also threatens their victims to leak their sensitive data, public-shaming them on social media platforms by abusing official accounts related to the victim, as well as doing extortion over the phone with VoIP services.
Ransomware operators are increasingly abusing the access already established after the compromise, but also make use of legitimate software for remote administration and persistence, and data exfiltration.
Make sure you have a recovery plan with offline backups and an Incident Response agreement with a company that has experience in resolving ransomware incidents.
Heimdal™’s Ransomware Encryption Protection solution can actively disrupt malicious encryption attempts. Our product is a 100% signature-free component, compatible with any antivirus solutions on the market, that adds revolutionary detection and remediation of any type of ransomware to your company network.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;