Conti has been one of the most aggressive ransomware operations over the past two years and continues to victimize many large companies as well as government, law enforcement and healthcare organizations. Researchers warn that unlike other ransomware groups that generally care about their reputation, Conti doesn’t always deliver on its promises to victims.
“Usually, the more successful ransomware operators put a lot of effort into establishing and maintaining some semblance of ‘integrity’ as a way of facilitating ransom payments from victims,” researchers from Palo Alto Networks said in an analysis. “They want to establish stellar reputations for ‘customer service’ and for delivering on what they promise—that if you pay a ransom, your files will be decrypted (and they will not appear on a leak website). Yet in our experience helping clients remediate attacks, Conti has not demonstrated any signs that it cares about its reputation with would-be victims.”
Conti first appeared in late 2019 and has slowly grown to become one of the predominant ransomware-as-a-service (RaaS) operations. It’s believed to have some connections to the Ryuk ransomware, which was run by a Russian cybercrime group known as Wizard Spider. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) said in a recent alert that they observed the use of Conti ransomware in over 400 attacks against US and international organizations. According to cybercrime intelligence firm Recorded Future, Conti was the ransomware strain responsible for the second largest number of victims in September 2021 after LockBit.
Conti also operates a little differently than other RaaS groups. Most groups work with partners called affiliates to compromise victims and deploy the ransomware program for a percentage of the ransom payments, but Conti is believed to pay a monthly wage to its developers.
How Conti gains initial network access
The attackers using Conti employ many methods of obtaining access to corporate networks, including buying access from other groups that already have such access—the so-called network access brokers. Like Ryuk, Conti operators have used the TrickBot malware for access, as well as other Trojans such as IcedID. These Trojans are typically distributed through spear-phishing emails containing malicious links or Microsoft Word attachments.
