Conti is a ransomware gang that has managed to wreak havoc on many organizations within just a short time. After first appearing in media headlines as recently as 2019, Conti has been behind several high-profile ransomware incidents. This article analyses Conti’s operations, its specific ransomware strain, and several high-profile attacks carried out by the gang that uses Conti.

Conti: Operations and Ransomware Analysis

Similar to REvil, Conti operates a ransomware as a service (RaaS) model. The gang speaks Russian, and it’s believed to run operations from St. Petersburg. The slight divergence in Conti’s business model from traditional RaaS models is that affiliates using its ransomware strains receive a wage rather than a percentage commission from a successful attack. This operational structure has been confirmed in an advisory published by CISA, the FBI, and NSA.

Rapid encryption and evasive evolution both define Conti ransomware strains. The iterative approach helps the strain become more effective and harder to find over time. Developers can concentrate most of their efforts on updating the ransomware because of the RaaS business model that the gang uses. Initial entry points into networks come from malicious emails, exploiting weak or stolen remote desktop protocol credentials, and targeting common unpatched software vulnerabilities.

The Conti gang doesn’t seem to have any concern for its reputation among victims. There have been instances of affected organizations paying ransoms only to not receive encryption keys or not get their data back. The prevailing advice to avoid paying ransoms seems to be particularly pertinent in the case of Conti’s ruthless approach.

The gang behind Conti ransomware uses the increasingly popular double extortion technique in its attacks. Not content with just encrypting critical systems, data is first exfiltrated so that victims can’t solely depend on a functioning backup and recovery strategy to recover from ransomware. After exfiltrating data, the perpetrators behind Conti ransomware attacks then demand a payment to prevent data from being published on the gang’s dark web data leak site.

High-Profile Conti Attacks

JVCKenwood: October 2021

The most recent high-profile victim of a Conti ransomware attack was Japanese multinational electronics company JVCKenwood. According to reports, the gang managed to exfiltrate around 1.5 terabytes of data from JVCKenwood’s IT network. The exfiltrated data included sensitive information about the company’s employees, including phone numbers, contact details, and payroll information.

Conti set its ransom demand at $7 million for this attack. Threat actors used a scanned copy of an employee’s passport as proof of the data they exfiltrated from the network. It appears as of the time of writing that JVCKenwood will refuse to cave into the ransom demands set by Conti.

HSE, Ireland: May 2021

In an attack that sent shockwaves across the information security world and the wider general public, Ireland’s public health system became the victim of a severe Conti ransomware attack in May 2021. Conducted at the height of Covid-19 with Ireland’s fragile health system struggling to cope with hospital surges, the attack on the HSE served as a terrifying example of the gang’s ruthless nature.

In an unexpected move, Conti provided a decryption tool to the HSE free of charge a couple of weeks after the attack. Whether this represented some sort of conscience being shown by the gang in light of the global pandemic remains unclear. Even after providing the tool, Conti still demanded ransoms to prevent published confidential health data from being posted online. A full six months after the incident, the knock-on effects were still felt by the HSE.

Broward County Public Schools: March 2021

In another attack exemplifying Conti’s intentions to disrupt important public infrastructure and services, Broward County Public Schools in Florida became the latest victim of the gang’s operations in March 2021. The ransomware attack resulted in a shutdown of the school district’s IT systems.

Negotiations with the perpetrators led to a substantial $40 million ransom demand. Broward County School District refused to pay up, which led to the publication of 26,000 files on the dark web. The published files contained financial and accounting details; however, no personally identifiable student or employee data appears to have been breached.

SEPA, Scotland: December 2019

On Christmas Eve 2019, a BBC news story revealed details of a significant cyber attack on the Scottish Environment Protection Agency (SEPA). The environmental regulator experienced significant disruptions to its core communication systems in the immediate aftermath of the attack. Conti swiftly claimed responsibility for this incident and demanded a ransom payment to decrypt affected systems and return stolen data.

SEPA refused to negotiate on any ransom payment, which led to stolen data being published online less than a month later. The publicly disclosed data included sensitive information about staff and suppliers. The impact on SEPA was such that the regulator’s chief executive Terry A'Hearn said it could take a year or two to fully restore all systems.

Defending Against Phishing

By far the most common initial attack vectors in Conti’s ransomware attacks are phishing emails. These emails persuade people to download malicious attachments or click links that install remote access software on their devices.

Often, Conti’s phishing methods are highly targeted spear-phishing campaigns that leverage information about specific employees found on social platforms such as Twitter and LinkedIn. Using information gleaned about targets, adversaries can write convincing emails that increase the likelihood of being conned.

Employee security awareness training can point out the signs of phishing, but awareness is not enough. Organizations need a dedicated anti-phishing email security solution that can flag and sandbox emails with suspicious links and attachments. Ideally, an email security solution equipped to combat modern phishing campaigns should have AI-driven self-learning capabilities for improved detection.

With an adequate level of defense against phishing, your organization stands a far better chance of thwarting attacks instigated by Conti, or any other ransomware gang.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.

October 19, 2021