Conti is a
ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, m ...
that has been observed since 2020, believed to be distributed by a Russia-based group.
All versions of Microsoft Windows are known to be affected.
[ The United States government offered a reward of up to $10 million for information on the group in early May of 2022.
]
Threat details
The software uses its own implementation of AES-256
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a variant ...
that uses up to 32 individual logical threads, making it much faster than most ransomware.[ The method of delivery is not clear.][
The gang behind Conti has operated a site from which it can leak documents copied by the ransomware since 2020.][ The group is known as ]Wizard Spider
Wizard Spider, also known as Trickbot, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in
Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal ...
and is based in Saint Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
, Russia
Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eigh ...
.[
]
Behaviour
Once on a system it will try to delete Volume Shadow Copies.[ It will try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them.][ It will disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked ]Server Message Block
Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provide ...
drives, ignoring files with DLL, .exe
.exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows, OS/2, and DOS.
File formats
There are numerous file formats which may be used by a file with a extensi ...
, .sys
.sys is a filename extension used in MS-DOS applications and Microsoft Windows operating systems. They are system files that contain device drivers or hardware configurations for the system.
Most DOS files are real mode device drivers. Certain ...
and .lnk
In computing, a file shortcut is a handle in a user interface that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located. Similarly, an Internet shortcut allows the use ...
extensions.[ It is also able to target specific drives as well as individual IP addresses.][
]
Remediation
According to NHS Digital
NHS Digital is the trading name of the Health and Social Care Information Centre, which is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England, particularly th ...
the only guaranteed way to recover is to restore all affected files from their most recent backup.[
]
Leaks
During the 2022 Russian invasion of Ukraine, Conti Group announced its support of Russia and threatened to deploy "retaliatory measures" if cyberattacks
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
were launched against the country.[
The leaks cover the time from the start of 2020 to February 27 2022 and consists of more than 60,000 chat messages.][ Most leaked messages were direct messages sent via Jabber.][ Attacks were coordinated using Rocket.Chat.][ The leaks are fragmented.][
Some of the messages discuss the actions of ]Cozy Bear
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securit ...
in hacking researchers into COVID-19
Coronavirus disease 2019 (COVID-19) is a contagious disease caused by a virus, the severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first known case was identified in Wuhan, China, in December 2019. The disease quickl ...
.Mandiant
Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 b ...
says that references to an unnamed external source in the logs that could be helpful to the gang.[ She points to mention in the leaks of ]Liteyny Avenue
Liteyny Avenue (russian: Лите́йный проспе́кт, ''Liteyny Prospekt'') is a wide avenue in the Central District of Saint Petersburg, Russia. The avenue runs from Liteyny Bridge to Nevsky Avenue.
The avenue originated in 1738 w ...
in Saint Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
, home to local FSB offices, as evidence that the external source could be the Russian government.[
Views expressed in the leaks include support for ]Vladimir Putin
Vladimir Vladimirovich Putin; (born 7 October 1952) is a Russian politician and former intelligence officer who holds the office of president of Russia. Putin has served continuously as president or prime minister since 1999: as prime m ...
, Vladimir Zhirinovsky
Vladimir Volfovich Zhirinovsky, ''né'' Eidelshtein (russian: link=false, Эйдельштейн) (25 April 1946 – 6 April 2022) was a Russian right-wing populist politician and the leader of the Liberal Democratic Party of Russia (LDPR) f ...
, antisemitism
Antisemitism (also spelled anti-semitism or anti-Semitism) is hostility to, prejudice towards, or discrimination against Jews. A person who holds such positions is called an antisemite. Antisemitism is considered to be a form of racism.
Antis ...
(including towards Volodymyr Zelenskyy
Volodymyr Oleksandrovych Zelenskyy, ; russian: Владимир Александрович Зеленский, Vladimir Aleksandrovich Zelenskyy, (born 25 January 1978; also transliterated as Zelensky or Zelenskiy) is a Ukrainian politicia ...
).[ Patrick lives in Australia and may be a Russian citizen.][
Some messages show an obsession with Brian Krebs.][
The messages use mat heavily.][ Messages containing ]homophobia
Homophobia encompasses a range of negative attitudes and feelings toward homosexuality or people who are identified or perceived as being lesbian, gay or bisexual. It has been defined as contempt, prejudice, aversion, hatred or antipathy ...
, misogyny
Misogyny () is hatred of, contempt for, or prejudice against women. It is a form of sexism that is used to keep women at a lower social status than men, thus maintaining the societal roles of patriarchy. Misogyny has been widely practiced ...
and references to child abuse were also found.
Dissolution
In the weeks following the leak, the group dissolved.Recorded Future
Recorded Future is a privately held cybersecurity company founded in 2009, with headquarters in Somerville, Massachusetts.
The company specializes in the collection, processing, analysis, and dissemination of threat intelligence. Recorded Future ...
said that they did not think that the leak was not a direct cause of the dissolution, but that it had accelerated already existing tensions within the group.
Membership and structure
The most senior member is known by the aliases Stern or Demon and acts as CEO
A chief executive officer (CEO), also known as a central executive officer (CEO), chief administrator officer (CAO) or just chief executive (CE), is one of a number of corporate executives charged with the management of an organization especiall ...
.[ Another member known as Mango acts as a general manager and frequently communicates with Stern.][ Mango told Stern in one message that there were 62 people in the main team.][ The numbers involved fluctuate, reaching as high as 100.][ Because of constant turnover in members, the group recruits constantly from legitimate job recruitment sites and hacker sites.][
Ordinary programmers earn around $1500 to $2000 per month, and members negotiating ransom payments can take a share of the profits.][ In April 2021 one member claimed to have an unnamed journalist who took a 5% share of ransomware payments by pressuring victims to pay up.][
In May 2022, the United States government offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with it.
]
Research
VMware Carbon Black has published a technical report on the ransomware.
Known targets
*Scottish Environment Protection Agency
The Scottish Environment Protection Agency (SEPA; gd, Buidheann Dìon Àrainneachd na h-Alba) is Scotland's environmental regulator and national flood forecasting, flood warning and strategic flood risk management authority.[Fat Face
FatFace is a British lifestyle brand, based in Hampshire, which creates product ranges across women's, men's, kids, footwear and accessories. FatFace is a multichannel retailer, with an international digital business as well as over 180 store ...]
[
*]Health Service Executive
The Health Service Executive (HSE) ( ga, Feidhmeannacht na Seirbhíse Sláinte) is the publicly funded healthcare system in Ireland, responsible for the provision of health and personal social services. It came into operation on 1 January 2005 ...
in the Republic of Ireland
Ireland ( ga, Éire ), also known as the Republic of Ireland (), is a country in north-western Europe consisting of 26 of the 32 Counties of Ireland, counties of the island of Ireland. The capital and largest city is Dublin, on the eastern ...
.[
*]Waikato District Health Board
The Waikato District Health Board (Waikato DHB) is a district health board with the focus on providing healthcare to the Waikato region of New Zealand.
History
The Waikato District Health Board, like most other district health boards, came into ...
in New Zealand
New Zealand ( mi, Aotearoa ) is an island country in the southwestern Pacific Ocean. It consists of two main landmasses—the North Island () and the South Island ()—and over 700 List of islands of New Zealand, smaller islands. It is the ...
.
*Shutterfly
Shutterfly, LLC. is an American photography, photography products, and image sharing company, headquartered in Redwood City, California. The company is mainly known for custom photo printing services, including books featuring user-provided ima ...
.
*KP Snacks
KP Snacks is a British producer of branded and own-label maize-, potato-, and nut-based snacks, "Choc Dips" and nuts. The ''KP'' stands for “Kenyon Produce”. The company is based in Slough, England, UK.
History
The company was founded in ...
.
* Nordic Choice Hotels
References
{{Reflist
Ransomware
Companies based in Saint Petersburg
Software companies of Russia