The Conti Ramsomware is not too old; it appeared first in May 2020, and then vanished to now come back with more stealth based attack. Since its disappearance, the Conti Ransomware is seen to have undergone a few iterations. It has undergone rapid development since its discovery and is known for the speed at which it encrypts and deploys across a target system.
Conti is a human-operated “double extortion” ransomware that steals and threatens to expose information as well as encrypting it. Attacks by this malware are particularly damaging due to the speed with which it encrypts data and spreads to other systems It has been reported that in the previous attack scenario, all versions of Microsoft Windows were known to be affected by this ransomware.
The Cyber Attack involving Conti is different than the conventional Ransomware. Though, the Malware means of distribution has remained unchanged throughout its evolution. The attacker plans a Targed Attack, in which the Attacker send a phishing email purporting to originate from a sender the victim trusts. This email mainly contains a link to a Google Drive with a document that has the payload. The victim, understanding that the link is legitimate as it is from a trusted sender, downloads the document using the link. This further downloads the Bazar backdoor malware that connects the victim’s device to Conti’s command-and-control server.
Subsequently, Conti then encrypts the data on the victim’s machine. This Ransomware is unique wherein along with the technique of encryption, also uses a double-extortion technique. Firstly, it demands for a ransom in exchange for the decryption key. Secondly, the attacker will only release a portion of the data, along with a threat to release more data if the ransom is not paid.
Unlike, other ransomware, in addition to encrypting data, Conti uses a multithreading technique that allows it to spread quickly once it infects a network, making it difficult to stop. This ransomware also spreads to other systems via Server Message Block (SMB), allowing it to encrypt files on other hosts within a network.
The Preventive action should follow the same Cyber Hygiene Advice that is applicable to any Ransomware Attack. The first step in preventing any type of ransomware attack is early detection of these indicators. Now with specific reference to the “Conti”, the users should also have to shut down the system and ensure that the infection is not allowed to distribute itself into the enterprise network. It is also pertinent that the internet-facing remote desktop protocol (RDP) processes if possible is also turned OFF. It is also better to use a Virtual Private Network (VPN), and ensure that the vital assets are behind the VPN termination server. If one is a Security Administrator in an Enterprise, a multi-layered security deployment of security infra will ensure a greater amount of security. Good Incident Response management in a small/medium enterprise will also help in ensuring security against such attacks.