What critical infrastructure can learn from Conti Ransomware leaks
Attacks on critical infrastructure increased by 3,900% from 2013 to 2020 because of Ransomware gangs like Conti ransomware
Attacks on critical infrastructure increased by 3,900% from 2013 to 2020 (Gartner), and 55% of OT security practitioners rate ransomware as the #1 threat to OT systems (SANS), which is double the percentage from 2019. Why? Ransomware gangs like Conti ransomware.
Conti extorted at least $180 million from its victims in 2021, which is about double the amount extorted by DarkSide/BlackMatter who is responsible for the well-known attack on Colonial Pipeline.
Ransomware has become an effective threat vector as organizations are insecure and open to attack. Since the Colonial Pipeline incident, several other major ransomware attacks on operating entities have been reported: Martha’s Vineyard Ferry Service, KP Snacks, and the JBS meat company who supplies 40% of all the US meat supply. This comes on the heels of several other large public ransomware events at Westrock, Molson Coors, and many others.
This threat actor is not new to targeting Industrial Control Systems (ICS) and operational technologies (OT). The Conti cybergroup successfully ransomed 87 critical infrastructure organizations using ransomware as their main hacking technique.
While the current geopolitical situation between Russia and Ukraine spurred the infiltration and leaking of Conti and its inner workings (via a new Twitter account, @ContiLeaks), the insight has left us with questions about the new risks created by the global conflict. According to research by Thales, 21% of respondents admit to experiencing a ransomware cyberattack – so another inventible question is who’s next?
For the cybercrime group Conti, every operational and critical infrastructure company based in the United States or one of the many allied countries could be a target according to the messages they posted following the beginning of the conflict. In fact, Conti mentioned they would take “retaliatory measures on critical infrastructures if cyberattacks were launched against the country”.
But the Conti information leaked is a game-changer for critical infrastructure cyber defenders. We’re a step closer to understanding the inner workings of these ransomware gangs – and ultimately – how to stop them.
Therefore, this paper explores the events surrounding the Conti ransomware group, and who could be their next target. More specifically, this paper will answer the following questions:
- Who is the Conti ransomware group?
- How are they structured?
- How do they choose their targets?
- How can you protect your organization against ransomware groups like Conti?
Conti’s organizational profile
Conti is a cybercriminal organization that “specializes” in ransomware attacks (Ransomware as a Service). They operate from Russia and mainly target large enterprises. Like Ryuk before them – another cybercrime group that was known for massive ransomware attacks on Microsoft systems – they have a rigid structure when it comes to their organization. In fact, according to the information leaked by a new Twitter account named “Contileaks” a few weeks ago, the group is well organized, with roles and processes that resemble those of a medium-sized software company: Coders, testers, recruiters, developers, etc.
With over a hundred employees according to the latest leaks, the group seems to act exactly like a regular company, allowing an easy structuration of their organizational profile into six specific departments: Operations, human resources, finance, IT, research and development and marketing.
When it comes to their operations team, Conti has extensive means, a high motivation, and good knowledge of the industries they target. To make a profit, the group mostly uses ransomware – the Conti ransomware – as their main attack method. Their malware generally exploits unpatched vulnerabilities in Microsoft Windows systems and uses those assets to move inside the network until they find their objective: Valuable data and/or systems they can encrypt.
Using mainly crimeware-as-a-service platforms Trickbot to deploy their malware (They’ve been known to use Cobalt strike as well) and Emotet to track the victim’s bots infected with their malware, the group has infected hundreds of organizations in the past years.
However, Conti was lately a victim of operations launched by the US government and other organizations (FBI, US Department of Homeland Security, etc.) which wounded the group operations. In fact, Conti lost control of Emotet and Trickbot was consequently shutdown.
This won’t stop Conti but just forces them to adapt their attack strategy.
Research & Development
Research & development is an important part of ensuring business continuity to the group. The cyber world is one of the most dynamic environments that exist in today’s modern society, and with the events that the group faced, they must ensure they stay up to date and adapt to new software and cyber controls and solutions on the market.
For example, Conti invests heavily in multiple Antivirus tools and continuously tests them to ensure they don’t detect their malware as an attack. By studying those different security tools and their different versions/updates, Conti adjusts and modifies their malware in order to launch successful attacks on their targets.
Another good example of R&D investment is studying new OS versions coming to the market. Windows 11 for example.
According to data leaked on Conti, there are multiple technological elements – software, tools, etc. – that are budgeted and used by Conti to support their operations and their research & development. Many examples can be found such as the EDR tools that are installed on all admin computers to monitor the activity of the key users within the organization. Firewalls are also installed on the network.
The group also has budget for their website support and the commissioning of software, applications and devices previously, as well as open-source intelligence tools.
To recruit hackers and other resources to get operations rolling, Conti has many internal HR processes that resemble those of a classic software company. With over eighty employees, the group is always searching for new recruits to fill the different roles that exist within the organization: Coders, testers, reverse-engineers, hackers, administrators, etc.
To recruit, they use standard tactics such as adverts (ads on several Russian-language cybercrime forums), and their own version of case competitions. When they find new candidates, they even have basic work conditions that seem to be similar are presented to them:
- Five-day work week
- Salary that starts at $2,000 per month (but can range as high as $5,000-$10,000 per month for coders according to the information leaked)
- Payroll 1st and 15th of each month (via Bitcoin deposit)
With a list of working conditions that looks like it’d been copy-pasted from a regular employer’s handbook, it is difficult to imagine why cybercriminals wouldn’t want to work for the Conti group.
The leaks, however, describe a different reality:
- Due to the nature of the business and the data employees handle, there is a lack of trust between leadership and employees
- According to the leaks, most employees are forced to spend time on repetitive tasks
- The work hours and other conditions listed above are rarely respected
Even if it doesn’t seem to be part of an “official” cluster, Conti has people that a responsible for ensuring the group is visible online and they are also an active part of the recruitment process as mentioned above.
When you have a company that manages its innovation by project, each department generally ask for a budget at the beginning of a defined period (Generally the fiscal year or in other cases the beginning of a quarter) and, with this budget, deliver a portion of what they have strategized using a roadmap.
In the case of Conti, the group does something similar. There’s no information on how they allocate their budget specifically, but from what was leaked, it is understood Conti gives their different teams budgets for recruitment, software, publicity and ads, research, etc.
How does the Conti cyber group select its targets?
With all those departments working towards a common goal, all that’s left for Conti to execute an attack is picking a target. So how do they select them?
Conti is well known for double extorsion ransomware, meaning that once they’ve gotten their hands into valuable data or systems, and they’ve encrypted it using their ransomware, they request two separate amounts of money. The victim than has the option to make payments for either or both :
- The de-encryption key to recover availability of its data
- A “guarantee” from Conti they will not leak the company’s data on their website and compromise confidentiality.
In order to ask for two separate payments from their victims, and to get a substantial amount of money out of each of these payments, Conti needs to target organizations that have substantial means to pay the ransoms (they have mostly targeted companies with 100 million in annual revenues according to data leaks). For example, it has been revealed by Conti’s chat leaks that they tend to target bigger companies, including those in the Fortune 500.
Additionally, Conti generally targets organizations that cannot afford to not pay the ransom, either because it would have a major impact on their reputation or worse, because it could impact safety.
This is one of the reasons why they’ve targeted multiple healthcare organizations so far as well. For example, in 2020, Conti launched an attack against several hospitals and clinics in the United States, where they tried – and succeeded in some cases – to ransomware as many as 428 hospitals. Even if that specific case didn’t end up being a major crisis, it is easy to imagine the impact that unavailability of data would have on the capability of doctors, nurses and medical personnel to take care of patients and save lives.
So, who could be the next victim? Well, with what is happening in the world today, any organization that provides essential services (Energy, Oil&Gas, Healthcare, Food industry, etc.) could be a target as a retaliatory measure in the name of Russia – whether because of the war, cyberwarfare, or the application of sanctions on the country.
What’s next for Conti and its potential targets?
It is expected that additional information will be revealed regarding Conti in the next few weeks. Since the original data leak, new links and information emerge and as the conflict in eastern Europe continues, chances are that whoever leaked data from Conti (including a portion of the code they used for their malware) will keep posting new details on the group. This information, as well as the information that might be discovered in the future, offers a lot of insight inside the operations and the mindset of this successful cybergroup, and might help cybersecurity professionals and organizations better understand the threat actor they are facing. It might even help organization identify specific measures to take to reduce their risks.
How does Conti strike?
When they strike a target, Conti generally starts with a regular phishing campaign or tailored emails (Spearphishing) to get access to a laptop or a PC. Using code embedded in an executable file or malicious link in that email, they gain initial access to the network. They have also been known to use weak remote desktop protocol (RDP) credentials; fake software put directly on the web as well as commonly known vulnerabilities to gain access to a victim’s network.
Once they have access to the network, Conti performs various scans to identify vulnerable routers, storage devices with access to Internet, or even remote monitoring and management software. Once they’ve found those vulnerable assets, Conti executes payloads and brute forces its way through the network. Using that process, Conti discovers files, network configuration, etc. and moves laterally inside the network to find the data they want.
From there, Conti performs data exfiltration and credential gathering, which will be used for the first ransom, as mentioned previously. In order to get the second ransom, Conti plans the encryption – attack using ransomware. Normally people that were suspicious or that captured signs of a potential breach, will at that point see a return to normal. A few days/weeks later, however, Conti strikes.
How can critical infrastructure protect and defend against Conti?
The best way to defend against potential ransomware attacks is to deploy multiple layers of overlapping protective and defense measures and leverage an endpoint risk security program.
The endpoint approach uses OT-specific endpoint visibility and inventory techniques to gather asset information directly from the endpoints themselves and integrates with other security components to complete the security picture.
This process begins with technology that enables deep vendor-agnostic, endpoint visibility including 100% software inventories, full patch status on all the application software as well as OS, detailed and regular information on configuration settings, password and user/accounts, defensive tool status such as A/V, whitelisting, network configuration rules and settings to understand network defenses, and asset criticality based on process and network.
This “360-degree” view of risk allows the organization to define the most effective and efficient means of remediating risks and securing a given endpoint.
This program should include a lock down of OT systems to least privilege, patching as often as possible/if possible, with best-in-class cybersecurity tools like anti-virus and whitelisting and, of course, a robust backup plan. On top of that, these actions should be accompanied by other standard security processes such as user/account management, monitoring, and detection.
In our 25+ years of work on industrial systems, the largest gaps we see are in the management and maintenance of security. Firewalls may exist, but personnel have adjusted rule settings to allow remote access and created servers that route around critical protection layers. Patching policies may exist, but the manual tasks that are often standard do not get completed given the urgencies of operations. There is no central visibility of these gaps. Standard secure configurations may exist, but exceptions are made, users adjust them, new software is allowed, and ports are opened, leaving gaps in that secure structure. Availability of robust and timely backups can significantly reduce downtime in case of a ransomware attack. But are these backups up to date? Do they restore quickly? Without management, the backups you thought you had may not be ready “in case of emergency.”
The ability to consolidate the security status across all systems into a common database to track and ensure protections are maintained is critical to strong protections. Asset owners must patch, segment, harden configurations, ensure appropriate backups, and limit access to least privilege. These core, fundamental elements of security can be the difference between being a victim or not.
Then organizations should customize this program by looking at data on previous attacks (as mentioned above). In most of the recorded attacks orchestrated by Conti, it usually started with a basic phishing or spear phishing campaign. Then, using malicious attachments, Conti would use embedded scripts to get access to a computer using various weaknesses (as mentioned previously). From there, they move for the coveted data. 95% of OT/ICS attacks occur through the commodity IT equipment used in the environment. Defense requires visibility into all assets and integration to provide simple, but comprehensive coverage.
As for Indicators of compromise (IoCs) that are specific to Conti, organizations should be on high alert for unusual attempts to connect to Remote Desktops (RDP connection), fake software or “risky” software installed on the networks such as ZLoader, unusual traffic going in and out of the network (files and data that shouldn’t leave the network), and malware such as IcedID, TrickBot, or Cobaltstrike.
But as we know, detection is not enough. The integration of detection and response actions allow industrial organizations to significantly reduce the spread and cost of ransomware attacks.
Original content can be found at Verve Industrial.