The Conti Ransomware group has been in and out of the news for the majority of 2022. Beginning the year with an attack on Kenyon Produce (KP) Snacks and conducting business as usual. When the conflict between Russia and Ukraine boiled over, the group again made headlines for taking the side of Russia. This led to widespread dissemination of the group's internal chat messages and eventually leaks of the ransomware source code.
The group remains in the spotlight with news of an ongoing conflict with Costa Rica and the groups sudden pseudo-shutdown.
Looking first at the group’s involvement with Costa Rica, Conti claimed responsibility for a ransomware attack targeting the Cost Rican government in Mid-April 2022. The attack has impacted 27 government institutions and ultimately led to the Costa Rican president, Rodrigo Chaves stating that Costa Rica is “at war” with the Conti group, and the country entering a state of national emergency on 8 May 2022.
The ransom demanded by the group began at $10 million and was increased to $20 million. According to Bleeping Computer as of 9 May 2022 97% of the 672 GB of data exfiltrated by the Conti group had been dumped on the group’s data leak site. Pictured below is a screenshot from the Conti leak site.
Impacted agencies within the Costa Rican Government include the Administrative Board of the Electrical Service of the province of Cartago (Jasec), the Ministry of Science, Innovation, Technology, and Telecommunications, National Meteorological Institute (IMN), Radiographic Costarricense (Racsa), and the Costa Rican Social Security Fund (CCSS).[1]
Costa Rican president, Rodrigo Chaves had just taken office during the attack and placed some of the blame on his predecessor, Carlos Alvarado for not investing in cybersecurity controls. Statements made by Chaves claiming that people within Costa Rica are cooperating with the Conti group, and further, Conti claiming that they are determined to overthrow the government using cyber-tactics brings into question the motivation of this attack.[2] Conti has previously been financially motivated, however, since the conflict between Russia and Ukraine the group has been more politically involved. A ransomware expert at Emisoft said, “there’s no reason to believe that the attack on Costa Rica is other than financially motivated.” Regardless of the motivation the overall effectiveness and impact of this ransomware attack should drive improvement to government security practices in countries around the world.
In a similar fashion, Conti targeted the country of Peru’s intelligence agency, stealing 9.48GB of data. The target of the attack was the National Directorate of Intelligence, which is responsible for national, military, and police intelligence in addition to counterintelligence.[3] Pictured below is a screenshot from the Conti leak site.
In the midst of the conflict with Costa Rica, the Conti ransomware gang has taken infrastructure offline. The data leak and ransom negotiation sites remain active as of 2:00 PM EST 26 May 2022, however their internal services including rocket chat servers are being taken down.[4]
Speculation regarding the timing of the high publicity Costa Rica attack and the decision to disassemble the Conti brand leaves a number of questions about the future of the group and its members. Tension had previously reached a boiling point when the group announced its support for Russia during the country’s invasion of Ukraine which led to Ukrainian members leaking chat messages and source code. Regardless of the motivations for the split, the groups associates have splintered into different ransomware operations including, HelloKitty, AvosLocker, Hive, BlackCat, and BlackByte among others. By dissolving the Conti brand and partnering with other established ransomware groups, the members gain increased mobility and ability to evade law enforcement, while retaining the skills that made the Conti ransomware gang dominant. According to Bleeping Computer the members will leverage new encryptors and negotiation sites, while still remaining loyal to a Conti cybercrime syndicate.
Based on data collections from the Cyber Threat Analysis Center (CTAC) by Red Sky Alliance, the activity from Conti has definitely slowed down. After a busy March and April, the group has relinquished its title as most active leak site to Clop ransomware. The first picture shows ransomware site activity in the past 90-days, while the second picture shows ransomware site activity in the past 30-days.
While the group has split up, ransomware activity remains one of the greatest cybersecurity threats that organizations face. To protect your organization from ransomware attacks it is important to understand how ransomware is spread, including phishing messages. Raising employee awareness of phishing schemes can help organizations avoid high impact attacks. It is also important to keep systems up to date with the latest patches. Finally, be sure to create backup regularly and store them off site to minimize down time and allow for a rollback if an attack occurs.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee. gotowebinar. com/register/3702558539639477516
[1] https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/
[2] https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/
[3] https://cybersecurityworldconference.com/2022/05/08/conti-ransomware-claims-to-have-hacked-peru-mof-direccion-general-de-inteligencia-digimin/
[4] https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/
Comments