The Conti ransomware gang is one of the most ruthless of its type. Beginning in early 2020, it has attacked organizations where the loss of data can have life-threatening consequences, including emergency medical services, hospitals, law enforcement agencies and 911 dispatch carriers. Ireland is still recovering from a Conti attack in May 2021 that resulted in the shutdown of that country’s healthcare network after it refused to pay the ransom. This attack caused delays in COVID-19 testing, X-rays and other health services.
The FBI has connected Conti with over 400 attacks throughout the world, including over 300 in the US. Conti’s ransom demands have reached $25 million, making it one of the most ambitious ransomware gangs in the world.
Conti is one of the many cyber crime groups that have sprung up in the last year. Its operations are based on the growing ransomware-as-a-service (RaaS) ecosystem and often gains access to its victims’ networks by purchasing it from other thread actors. Conti can also procure other resources from RaaS providers, including infrastructure, malware, money laundering services and communications tools. Conti also uses the same methods as other ransomware gangs to directly access the systems of its victims, which include the exploitation of unprotected applications and the lack of multi-factor authentication (MFA). In addition, Conti uses tools such as Cobalt Strike and PowerShell to preserve and enhance the initial access to a system.
Conti’s methodology isn’t technically sophisticated, although it’s often effective. It typically uses the “double extortion” approach, which is becoming increasingly popular among ransomware groups. The first part of extortion in this method is to prevent the victim from accessing their data until the ransom is paid. The second part is to publish that data if the ransom demand isn’t met.
This portion of Conti’s methodology is shared by many ransomware gangs, but it also has some atypical elements. For example, most successful ransomware groups expend a great deal of effort in maintaining their reputation by keeping their promises to victims, presumably for the purpose of improving the chances of a ransom payment. However, Conti doesn’t appear to care about its reputation, as it has frequently failed to keep its promises to victims.
The frequency of ransomware attacks has been increasing rapidly, particularly in the last couple of years. This is primarily due to the current effectiveness of the double extortion approach, although technological developments that facilitate the deployment of ransomware is also a contributing factor. Conti is part of the latest trend in ransomware attacks, in which the chances of the victim receiving their data is highly uncertain. As a result, the FBI strongly urges victims not to pay the ransom.
While ransomware gangs have traditionally attacked any vulnerable system they can find, Conti performs extensive research when selecting its targets. The main criteria appear to be organizations with liquid capital and those that provide critical services.
In one recent case, Conti only returned a small portion of the data before severing contact with the victim. In another case, the client needed an inventory of the files that had been stolen, so it could notify the affected users. Conti members initially agreed to provide this information, but later claimed that the data had been deleted with no hope of restoration.
Conti is constantly modifying its methods in response to changes in victim behavior. These changes include the increased likelihood of victims notifying law enforcement and the passage of legislation designed to impose greater penalties on ransomware attackers.