Conti ransomware is a relatively new addition to the roster of malicious software readily available for hackers and cybercriminals. While it’s only been around since 2020, it’s already been used against significant targets, even affecting entire city networks. Where did Conti malware come from, and how does it work?
At the most basic level, Conti can be described as ransomware. Ransomware is where a hacker will gain access to a victim’s network and encrypt important files or services. To get access to the files back, victims will have to pay money to the hacker, typically in cryptocurrency.
What makes Conti ransomware attacks stand out is the speed that files are encrypted. It also spreads throughout a network at breakneck pace. Conti ransomware has a secondary purpose, too. Once a hacker has network access and a victim’s files have been encrypted, the files are copied. If the victim doesn’t give in to the hacker’s demands, the stolen data is uploaded to the dark web.
Conti ransomware originally came from Russia, from a notorious hacking group known as Wizard Spider. Based in St. Petersburg, the hacker group has been selling its malware services to other cybercriminals, essentially using Conti as ransomware as a service, or RaaS.
Conti ransomware attacks are typically initiated via phishing attempts. This is where a cybercriminal will try to entice a victim into following a link to a malicious site or downloading a file that contains malware. Hackers will often employ the use of social engineering to trick victims into downloading something they really shouldn’t. Conti has also been falsely advertised as different software and pushed via search engine optimization.
Once Conti malware has made its way into a victim’s network, it begins to spread. With a set of built-in tools, this sophisticated malware will spread across servers, files, backups, and even security software. As Conti spreads, it begins to make copies of your files while also encrypting the originals. The encrypted process is faster than the average ransomware.
A Conti attack is particularly dangerous because it leaves several backdoors for hackers to retain access to a victim’s IT systems. If a victim has some degree of tech knowledge and tries to work around the encrypted data, the backdoors guarantee that the hackers can enforce the ransom.
Since 2020, the infamous Conti group has been attacking high-profile targets. In fact, the attacks are so disruptive that governments have offered cash rewards for anyone willing to share information on the malicious actors and their criminal operation.
In early May of 2021, the city of Tulsa was hit by an almost all-encompassing ransomware attack from the Conti gang. The attack targeted several city networks, resulting in residents of Tulsa being unable to access email-based services or online payment services.
When the city officials refused to give in to the Conti ransomware’s demands, the hacker group released 18,000 police files to the dark web. While the police citations didn’t seem to have much incriminating data, the details gained from the files could be used by tech-savvy hackers to enact online fraud.
May of 2021 was an active month for the Conti ransomware group, with a second attack taking place on May 14. The publicly funded healthcare system known as the Irish Health Executive, or IHE, was held ransom for twenty million dollars. While in correspondence with an official from the IHE, Conti threat actors claimed that they had been inside the IHE systems for two weeks and had stolen over 720gbs of data.
In response, the IHE opted to shut down its IT systems and had security partners rid its operating systems of Conti malware. This shutdown caused significant disruption to the IHE, slowing down patient care significantly.
Rather than just the single victim, the ARMattack campaign was a series of ransomware attacks that targeted over 40 organizations and lasted from November 17to December 20. Named after the domain name that shed light on the infrastructure of Wizard Spider, the campaign mainly focused on US-based companies.
The hackers didn’t seem to discern between targets. The targets ranged anywhere from government sites to those related to gambling or manufacturing. It’s unknown how many of the 40+ organizations chose to pay the ransom, but the campaign helped reveal more details about the gang. Most members seem to be active for around 14 hours a day, and they pay close attention to every new Windows update so they can find ways to bypass security measures.
Preventing Conti ransomware – or any ransomware – requires a combination of different factors. Here’s what you can do to prevent a ransomware attack.
During the initial stages of the Russian invasion of Ukraine, the Conti hacking group announced its support of the Russian government. In response, a Ukrainian security researcher managed to infiltrate the group and leaked over 150,000 internal messages. These messages served as a treasure trove of resources to law enforcement and were a devastating blow to the gang. Shortly after the leak of sensitive data, the Conti site officially closed its doors for business.
However, this peace wouldn’t last. It soon became apparent that the closure announcement was merely an attempt to throw off the cybersecurity experts that were trying to track group members down. While the Conti name is technically dead, many experts agree that the original organization split into several, smaller cells in a bid to prevent a complete system shutdown if found by law enforcement.