Conti is a
ransomware that has been observed since 2020, believed to be distributed by a Russia-based group.
All versions of Microsoft Windows are known to be affected.
[ The United States government offered a reward of up to $10 million for information on the group in early May of 2022.
]
Threat details
The software uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware.[ The method of delivery is not clear.][
The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020.][ The group is known as ]Wizard Spider
Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in
Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal org ...
and is based in Saint Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
, Russia
Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...
.[
]
Behaviour
Once on a system it will try to delete Volume Shadow Copies.[ It will try to terminate a number of services using ]Restart Manager
Windows Vista (formerly codenamed Windows "Longhorn") has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.
In addition to the new user interface, security capabilities ...
to ensure it can encrypt files used by them.[ It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked ]Server Message Block
Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provide ...
drives, ignoring files with DLL, .exe
.exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows, OS/2, and DOS.
File formats
There are numerous file formats which may be used by a file with a extensi ...
, .sys
.sys is a filename extension used in MS-DOS applications and Microsoft Windows operating systems. They are system files that contain device drivers or hardware configurations for the system.
Most DOS files are real mode device drivers. Certain ...
and .lnk extensions.[ It is also able to target specific drives as well as individual IP addresses.][
]
Remediation
According to NHS Digital
NHS Digital is the trading name of the Health and Social Care Information Centre, which is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England, particularly th ...
the only guaranteed way to recover is to restore all affected files from their most recent backup.[
]
Leaks
During the 2022 Russian invasion of Ukraine
On 24 February 2022, in a major escalation of the Russo-Ukrainian War, which began in 2014. The invasion has resulted in tens of thousands of deaths on both sides. It has caused Europe's largest refugee crisis since World War II. ...
, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
were launched against the country.[
The leaks cover the time from the start of 2020 to February 27 2022 and consists of more than 60,000 chat messages.][ Most leaked messages were direct messages sent via ]Jabber
Jabber may refer to:
* The original name of the Extensible Messaging and Presence Protocol (XMPP), the open technology for instant messaging and presence.
* Jabber.org, the public, free instant messaging and presence service based on XMPP.
* Jabber ...
.[ Attacks were coordinated using Rocket.Chat.][ The leaks are fragmented.][
Some of the messages discuss the actions of ]Cozy Bear
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securi ...
in hacking researchers into COVID-19
Coronavirus disease 2019 (COVID-19) is a contagious disease caused by a virus, the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first known case was identified in Wuhan, China, in December 2019. The disease quickly ...
.Mandiant
Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 bi ...
says that references to an unnamed external source in the logs that could be helpful to the gang.[ She points to mention in the leaks of Liteyny Avenue in ]Saint Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
, home to local FSB offices, as evidence that the external source could be the Russian government.[
Views expressed in the leaks include support for ]Vladimir Putin
Vladimir Vladimirovich Putin; (born 7 October 1952) is a Russian politician and former intelligence officer who holds the office of president of Russia. Putin has served continuously as president or prime minister since 1999: as prime min ...
, Vladimir Zhirinovsky
Vladimir Volfovich Zhirinovsky, ''né'' Eidelshtein (russian: link=false, Эйдельштейн) (25 April 1946 – 6 April 2022) was a Russian right-wing populist politician and the leader of the Liberal Democratic Party of Russia (LDPR) fr ...
, antisemitism
Antisemitism (also spelled anti-semitism or anti-Semitism) is hostility to, prejudice towards, or discrimination against Jews. A person who holds such positions is called an antisemite. Antisemitism is considered to be a form of racism.
Antis ...
(including towards Volodymyr Zelenskyy
Volodymyr Oleksandrovych Zelenskyy, ; russian: Владимир Александрович Зеленский, Vladimir Aleksandrovich Zelenskyy, (born 25 January 1978; also transliterated as Zelensky or Zelenskiy) is a Ukrainian politicia ...
).[ Patrick lives in Australia and may be a Russian citizen.][
Some messages show an obsession with ]Brian Krebs
Brian Krebs (born 1972) is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals.Perlroth, Nicole.Reporting From the Web's Underbelly. ''The New York Times''. Retrieved February 28, ...
.[
The messages use mat heavily.][ Messages containing homophobia, ]misogyny
Misogyny () is hatred of, contempt for, or prejudice against women. It is a form of sexism that is used to keep women at a lower social status than men, thus maintaining the societal roles of patriarchy. Misogyny has been widely practice ...
and references to child abuse were also found.
Dissolution
In the weeks following the leak, the group dissolved.Recorded Future
Recorded Future is a privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.
The company specializes in the collection, processing, analysis, and dissemination of threat intelligence. Recorded Future ...
said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group.
Membership and structure
The most senior member is known by the aliases Stern or Demon and acts as CEO.[ Another member known as Mango acts as a general manager and frequently communicates with Stern.][ Mango told Stern in one message that there were 62 people in the main team.][ The numbers involved fluctuate, reaching as high as 100.][ Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites.][
Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits.][ In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.][
In May 2022, the United States government offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with it.
]
Research
VMware Carbon Black
VMware Carbon Black (formerly Bit9, Bit9 + Carbon Black, and Carbon Black) is a cybersecurity company based in Waltham, Massachusetts. The company develops cloud-native endpoint security software that is designed to detect malicious behavior an ...
has published a technical report on the ransomware.
Known targets
*Scottish Environment Protection Agency
The Scottish Environment Protection Agency (SEPA; gd, Buidheann Dìon Àrainneachd na h-Alba) is Scotland's environmental regulator and national flood forecasting, flood warning and strategic flood risk management authority.[Fat Face
FatFace is a British lifestyle brand, based in Hampshire, which creates product ranges across women's, men's, kids, footwear and accessories. FatFace is a multichannel retailer, with an international digital business as well as over 180 store ...]
[
*]Health Service Executive
The Health Service Executive (HSE) ( ga, Feidhmeannacht na Seirbhíse Sláinte) is the publicly funded healthcare system in Ireland, responsible for the provision of health and personal social services. It came into operation on 1 January 2005 ...
in the Republic of Ireland
Ireland ( ga, Éire ), also known as the Republic of Ireland (), is a country in north-western Europe consisting of 26 of the 32 Counties of Ireland, counties of the island of Ireland. The capital and largest city is Dublin, on the eastern ...
.[
*]Waikato District Health Board
The Waikato District Health Board (Waikato DHB) is a district health board with the focus on providing healthcare to the Waikato region of New Zealand.
History
The Waikato District Health Board, like most other district health boards, came into ...
in New Zealand
New Zealand ( mi, Aotearoa ) is an island country in the southwestern Pacific Ocean. It consists of two main landmasses—the North Island () and the South Island ()—and over 700 smaller islands. It is the sixth-largest island count ...
.
*Shutterfly
Shutterfly, LLC. is an American photography, photography products, and image sharing company, headquartered in Redwood City, California. The company is mainly known for custom photo printing services, including books featuring user-provided im ...
.
*KP Snacks
KP Snacks is a British producer of branded and own-label maize-, potato-, and nut-based snacks, "Choc Dips" and nuts. The ''KP'' stands for “Kenyon Produce”. The company is based in Slough, England, UK.
History
The company was founded in ...
.
*Nordic Choice Hotels
Nordic Choice Hotels (until December 2010 known as Choice Hotels Scandinavia) is one of the largest hotel companies in Scandinavia with 200 hotels in Scandinavia, Finland and the Baltics and over 16,500 employees.
The Norwegian company is 100% ...
References
{{Reflist
Ransomware
Companies based in Saint Petersburg
Software companies of Russia