A new report from security firm Group-IB is bringing the full scope of the Conti group’s ransomware attacks into focus, revealing that the threat actors have hit 850 companies in two years and are compromising as many as 40 per month.
Conti has become one of the world’s most prominent ransomware groups, and has managed to continually operate since late 2019 as other major players in the scene have emerged and subsequently been broken up during their run. The group ranges broadly across the world in its attacks and has developed a reputation for almost never taking a day off, running a professional operation that consistently puts in 14 hours a day even on weekends.
Conti ransomware group finds success with corporate structure, unique tools
Conti is able to breeze through ransomware attacks in as little as three days thanks to a polished setup that has been years in the making: custom ransomware and tools, a disciplined working schedule that runs seven days a week, partnerships with other prominent ransomware groups and a business-like structure.
The first formal recording of Conti ransomware attacks took place in early 2020, but security researchers believe the group was first active (at least with testing of its malware) in late 2019. The group quickly surged to prominence as it leaked the data of 173 victims through its dark web portal in 2020, then more than tripled that tally in 2021 with 530 victims. Conti is on pace to match this total in 2022 with 156 victims through April. These numbers are considered a low estimate given that they are based solely on victims that refused to pay up and had their data leaked in response; they do not include companies that quietly paid the ransom without any public notice.
One of Conti’s most bountiful periods was from late November to late December 2021, a period that the researchers called “ARMattack.” The group hit at least 40 companies during the holiday shopping period, a time of year in which cyber crime predictably ramps up. The distribution reflects Conti’s general geographic preferences for ransomware attacks: a smattering throughout the world, particularly in Europe, but the bulk of the attacks (37% in this case) are directed at companies in the United States.
Conti also distributes its ransomware attacks fairly broadly across industry types, but some slight preferences are shown here: manufacturing, real estate, logistics and professional services have all been targeted somewhat more than other sectors.
Conti is also highly disciplined, both in how it handles the attacks affiliates initiate and how it handles its own internal affairs. Conti ransomware attacks uniformly involve the group rifling through select company documents looking for information on what kind of entity it has on its hands, and any available passwords that might be used for privilege escalation. The group spreads as far and as high as it can into the target network before it deploys ransomware, looking to hit as many devices as possible.
Nick Sanna, CEO of Risklens, points out that this is information that should prompt a change in thinking about how organizations handle ransomware: “Businesses need to understand that ransomware is not an IT event, it’s a whole-organization event and it is now an absolute requirement that companies perform a cost-benefit analysis of all the probable impacts, from business interruption to pay vs. not-pay on ransomware – well in advance of an attack. That requires a systematic, quantitative risk analysis in financial terms, based on solid data and rigorous modeling.”
Ransomware attacks only put on pause for one day each year
The group’s internal structure is extremely businesslike, even including a “human resources” department (which tracks and rewards “employee” performance and distributes piecework out to temporary contractors) and a research & development team that works on its tools. Regular members are paid a fixed salary, and the operation has enough staff to run 14 hours a day seven days a year (only taking New Years Eve off as a holiday break). Work hours resemble those of a restaurant more than a typical corporation, however, beginning around noon and maintaining peak activity until around 9 PM.
These hours are also based on Russian time zones. It has long been no secret that Conti is based primarily in Russia. Russian companies are never attacked, and an early 2022 internal document leak (which also provided much of the information on the group’s business structure) revealed that some key members of the group felt they should “patriotically” support Russia in its invasion of Ukraine.
At the time, Conti was also sitting on over a billion dollars worth of accumulated Bitcoin stored in various digital wallets. A portion of its spoils goes to the development of its own tools and code, something that helps it to evade automated cyber defenses that draw on patterns observed in prior ransomware attacks. The group also has staff assigned to carefully scrutinize both new published vulnerabilities and updates to Windows that might hamper its ransomware attacks; they also field at least several specialists that attempt to tease out zero day vulnerabilities in various software.
In spite of strides in taking down some major operators, Group-IB’s report indicates that the amount of money flowing from ransomware attacks has created a fully fledged industry that is entrenched and does not plan on going anywhere. Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, points out that some organizations are stuck in a badly outdated view of the hackers that are attempting to breach their systems and will remain chronically unprepared until they update their vision: “I think that maybe the most pervasive problem in cybersecurity today is that most organizations simply don’t understand what they are up against.
Ransomware gangs like Conti and Lockbit aren’t bored, angsty teenagers at home playing around with hacking (although the stunning success of the teenage led LAPSUS$ group suggests many organizations aren’t even up to that challenge). Instead, these threat actors are professional and highly organized operations that invest millions of dollars into hiring talented hackers, providing cutting edge offensive training, and buying or developing potent zero-day exploits. Against this level of threat, far too few companies are equipped to defend themselves from compromise. The odds are analogous to someone who takes a self defense course once a year stepping into the ring with a professional MMA fighter.”
Erich Kron, Security Awareness Advocate for KnowBe4, echoed these thoughts: “The success of the Conti group shows just how well organized and formidable modern cybercriminals are. These aren’t just kids in their parents’ basement drinking Mountain Dew and eating pizza, they are well disciplined and organized groups. The Ransomware-as-a-Service (RaaS) model continues to show how the maturity of the cybercrime industry has evolved and continues to be the catalyst behind so many recent successful attacks, proving its viability. Since Conti affiliates, like so many others in the ransomware game, lean heavily on phishing emails to gain initial network access, organizations would be wise to dedicate some resources to defending against this threat. This means ensuring they have email filters deployed and monitored, and that employees are trained on a regular basis to spot and report phishing attacks. The addition of simulated phishing attacks can help employees improve their skills through practice, making it a key part of the training program. In addition to employee education, Data Loss Prevention (DLP) controls are an important part of ransomware defense and detection. Stopping the exfiltration of data can significantly reduce the amount of leverage these bad actors have over organizations by eliminating the threat of data exposure.”