Conti (ransomware)
Conti is ransomware that has been observed since 2020.[1][2] All versions of Microsoft Windows are known to be affected.[1]
Threat details
The software uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware.[1] The method of delivery is not clear.[1]
The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020.[3] The same gang has operated the Ryuk ransomware.[3] The group is known as Wizard Spider and is based in Saint Petersburg, Russia.[4]
Behaviour
Once on a system it will try to delete Volume Shadow Copies.[1] It will try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them.[1] It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions.[1] It is also able to target specific drives as well as individual IP addresses.[1][2]
Remediation
According to NHS Digital the only guaranteed way to recover is to restore all affected files from their most recent backup.[1]
Leaks
During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks were launched against the country.[5][6][7] As a result, approximately 60,000 messages from internal chat logs were leaked by an anonymous person who indicated their support for Ukraine[8][9][10] along with source code and other files used by the group.[11][7][12]
The leaks cover the time from the start of 2020 to February 27 2022 and consists of more than 60,000 chat messages.[7] Most leaked messages were direct messages sent via Jabber.[7] Attacks were coordinated using Rocket.Chat.[7] The leaks are fragmented.[7]
Some of the messages discuss the actions of Cozy Bear in hacking researchers into COVID-19.[13] Kimberly Goody, director of cybercrime analysis at Mandiant says that references to an unnamed external source in the logs that could be helpful to the gang.[13] She points to mention in the leaks of Liteyny Avenue in Saint Petersburg, home to local FSB offices, as evidence that the external source could be the Russian government.[13]
Views expressed in the leaks include support for Vladimir Putin, Vladimir Zhirinovsky, antisemitism (including towards Volodymyr Zelenskyy).[14] A member known as Patrick repeated several false claims made by Putin about Ukraine.[14] Patrick lives in Australia and may be a Russian citizen.[14]
Some messages show an obsession with Brian Krebs.[14]
The messages use mat heavily.[14] Messages containing homophobia, misogyny and references to child abuse were also found.[14]
Membership and structure
The most senior member is known by the aliases Stern or Demon and acts as CEO.[7] Another member known as Mango acts as a general manager and frequently communicates with Stern.[7] Mango told Stern in one message that there were 62 people in the main team.[7] The numbers involved fluctuate, reaching as high as 100.[7] Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites.[7]
Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits.[7] In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.[7]
Research
VMware Carbon Black has published a technical report on the ransomware.[2][15]
Known targets
- AB Karl Hedin
- Scottish Environment Protection Agency[4]
- Fat Face[4]
- Health Service Executive in the Republic of Ireland.[4]
- Waikato District Health Board in New Zealand. [16]
- Shutterfly.[17]
- KP Snacks.[18]
- Ministerio de Hacienda in Costa Rica
- Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT) in Costa Rica
- Caja Costarricense del Seguro Social in Costa Rica (Twitter Account)
- Instituto Meteorológico Nacional in Costa Rica
See also
- Health Service Executive cyberattack - involves a new variant of the ransomware.
- Wizard Spider - group known to use the software
References
- ^ a b c d e f g h i "Conti Ransomware". NHS Digital. NHS Digital. 9 July 2020. Retrieved 14 May 2021.
- ^ a b c Cimpanu, Catalin (9 July 2020). "Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption". ZDNet. Retrieved 14 May 2021.
- ^ a b Cimpanu, Catalin (25 August 2020). "Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites". ZDNet. Retrieved 15 May 2021.
- ^ a b c d Corfield, Gareth (14 May 2021). "Hospitals cancel outpatient appointments as Irish health service struck by ransomware". The Register. Retrieved 15 May 2021.
- ^ Reichert, Corinne (25 February 2022). "Conti Ransomware Group Warns Retaliation if West Launches Cyberattack on Russia". CNET. Retrieved 2 March 2022.
- ^ Bing, Christopher (25 February 2022). "Russia-based ransomware group Conti issues warning to Kremlin foes". Reuters. Retrieved 2 March 2022.
- ^ a b c d e f g h i j k l m Burgess, Matt (16 March 2022). "The Workaday Life of the World's Most Dangerous Ransomware Gang". Wired UK. Retrieved 21 March 2022.
- ^ Corfield, Gareth (28 February 2022). "60,000 Conti ransomware gang messages leaked". The Register. Retrieved 2 March 2022.
- ^ Humphries, Matthew (28 February 2022). "Backing Russia Backfires as Conti Ransomware Gang Internal Chats Leak". PCMag. Retrieved 2 March 2022.
- ^ Faife, Corin (28 February 2022). "A ransomware group paid the price for backing Russia". The Verge. Retrieved 2 March 2022.
- ^ "The Conti ransomware leaks". Malwarebytes. 1 March 2022. Retrieved 2 March 2022.
- ^ 'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang CNN. 2022.
- ^ a b c Burgess, Matt (18 March 2022). "Leaked Ransomware Docs Show Conti Helping Putin From the Shadows". Wired UK. Retrieved 21 March 2022.
- ^ a b c d e f Lee, Micah (14 March 2022). "Leaked Chats Show Russian Ransomware Gang Discussing Putin's Invasion of Ukraine". The Intercept. Retrieved 21 March 2022.
- ^ Baskin, Brian (8 July 2020). "TAU Threat Discovery: Conti Ransomware". VMware Carbon Black. Retrieved 14 May 2021.
- ^ "Waikato hospitals hit by cyber security incident". Radio New Zealand. 18 May 2021. Retrieved 18 May 2021.
- ^ "Shutterfly services disrupted by Conti ransomware attack". Bleeping Computer. 27 December 2021. Retrieved 27 December 2021.
- ^ "KP Snacks giant hit by Conti ransomware". Bleeping Computer. 22 January 2022. Retrieved 22 January 2022.