Skip to main content

Ransomware Profile: Conti

Conti is a ransomware variant first observed in early 2020, used by cybercriminals to conduct ransomware attacks against multiple sectors and organisations worldwide, including Australia. Conti is offered as a Ransomware-as-a-Service (RaaS), enabling affiliates to utilise it as desired, provided that a percentage of the ransom payment is shared with the Conti operators as commission. This product provides information related to Conti’s background, threat activity, and mitigation advice.

Ransomware Profile: Conti

Context 

Conti is a ransomware variant first observed in early 2020, used by cybercriminals to conduct ransomware attacks against multiple sectors and organisations worldwide, including Australia. Conti is offered as a Ransomware-as-a-Service (RaaS), enabling affiliates to utilise it as desired, provided that a percentage of the ransom payment is shared with the Conti operators as commission. This product provides information related to Conti’s background, threat activity, and mitigation advice.

The Australian Cyber Security Centre (ACSC) is providing this information to enable organisations to undertake their own risk assessments and take appropriate actions to secure their systems and networks. The ACSC will only revise and update this document in the event of further significant information coming to light.

Key Points

  • Conti ransomware restricts access to corporate files and systems by encrypting them into a locked and unusable format. Victims receive instructions on how to engage with the offenders after encryption.
  • Conti affiliates have successfully deployed ransomware on corporate systems in a variety of countries and sectors, including in Australia, where the ACSC is aware of multiple victims.
  • Conti affiliates are known to implement the ‘double extortion’ technique by uploading stolen victim data obtained through the commission of the attack in part or full and threatening to sell and/or release additional information if their ransom demands are not met.
  • Threat actors involved in the deployment of the Conti ransomware use a range of vectors to gain initial access into victim networks, including exploitation of unpatched vulnerabilities in remote access solutions.

Background 

First detected in early 2020, Conti is a ransomware-as-a-service (RaaS) affiliate program associated with Russian-speaking cybercrime actors. Similarities between Conti and the Ryuk ransomware variant have been reported; however, it is unclear if the actors responsible for developing Conti are the same as those linked to Ryuk. The operators of Conti advertise the ransomware to potential affiliates in public and private forums. Conti affiliates have successfully deployed ransomware to target networks worldwide, including in Australia, where the ACSC is aware of multiple Australian victims. Conti affiliates have been observed targeting entities in critical sectors, notably including healthcare organisations.

Threat activity

The ACSC has observed an increase in domestic and global Conti activity throughout 2021. Conti affiliates are known to implement the ‘double extortion’ technique by uploading exfiltrated victim data to their dedicated leak site (DLS) and threatening to release victim data in tranches if the ransom is not paid. This is intended to coerce the victim into paying the ransom demand. Leaked information is hosted on The Onion Router (TOR) network, enabling greater anonymity to Conti threat actors hosting illicitly obtained material.1 In 2021, Conti claimed to have compromised at least 500 organisations worldwide on their TOR site.

Threat actors involved in the deployment of Conti ransomware use a range of initial access vectors to gain access to victim networks. Conti actors have been widely observed using phished, purchased and brute-forced credentials to Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs) to gain access to target networks. Conti threat actors are resourceful, and have also used publicly leaked credentials for Fortigate SSL VPN devices to gain access.

The ACSC has observed both TrickBot and commercial exploitation tool Cobalt Strike activity on Australian victim networks prior to the deployment of Conti ransomware. Other observable Tactics, Techniques, and Procedures (TTPs) associated with Conti ransomware activity include but are not limited to:

  • Enumerating Active Directory environments with BloodHound
  • Utilising Metasploit for post-compromise exploitation
  • Maintaining persistence on devices with the AnyDesk remote desktop application
  • Phishing campaigns that install the BazarLoader backdoor onto target systems.

The threat actors involved in the deployment of the Conti ransomware frequently change attack patterns, and quickly take advantage of newly disclosed vulnerabilities to compromise and operate within networks before network owners are able to apply patches or mitigations.

Assistance

The ACSC continually monitors a variety of ransomware variant activity including Conti. The ACSC is able to provide assistance and advice if required. Organisations that have been impacted or require assistance in regards to a Conti ransomware incident can contact the ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report.

Mitigations

Technique
Procedure
Mitigations
Initial Access [TA0001]
Exploit Public-Facing Application [T1190] Threat actors search for and opportunistically exploit vulnerabilities in internet facing applications and devices to gain access to victim networks.

Update Software [M1051]
Establish processes to identify, assess and patch vulnerabilities affecting internet facing applications and devices within appropriate timeframes. This allows organisations to address security vulnerabilities before they are discovered and exploited by actors.

See Assessing Security Vulnerabilities and Applying Patches for further advice. 

Valid Accounts [T1078]

Actors have obtained credentials for valid accounts and gain access victim networks.

Actors have used phishing and password brute forcing techniques to obtain credentials. They have also purchased credentials or collected them from publicly available breaches.

Multi-factor authentication [M1032]
Require multifactor authentication for all user accounts, particularly privileged accounts. This prevents actors from accessing valid accounts with stolen credentials.

See also:

User training [M1017]
Educate users to avoid password reuse. This prevents actors from obtaining credentials through public breaches or by compromising non-corporate systems.

See Get smarter with passwords for further advice.

Persistence [TA0003]
External Remote Services [T1133] Actors have used the commercial remote access software “AnyDesk” to persist on victim systems.

Filter Network Traffic [M1037]
Prevent network traffic from unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence.

See Inbound Traffic Filtering - Technique D3-ITF for further advice. 

Network Segmentation [M1030]
Segment networks and restrict traffic for remote access services where possible. This limits the ability of threat actors moving laterally within compromised networks. Utilising network segmentation as a form of defence in depth also prevents actors from connecting to external remote access services that they have established for persistence via compromised systems within victim networks.

See also:

Exfiltration [TA0010]
Exfiltration Over Web Service [T1567]

Actors have exfiltrated sensitive data and threatened to publicly release it.

Actors have exfiltrated data to a legitimate and publicly available web service, and in some cases have used legitimate tools such as RClone.

Encrypt Sensitive Information [M1041]
Encrypt sensitive data at rest. This prevents actors from accessing sensitive data even if they can access the systems storing the data.

Network Segmentation [M1030]
Segment networks to separate sensitive data, and services that provide access to sensitive data, from corporate environments. This prevents adversaries from compromising vulnerable systems, such as desktop environments, and immediately accessing and exfiltrating sensitive data.

See also:

Restrict Web-Based Content [M1021]
Restrict access to web-based storage services from corporate networks, except where required for legitimate business activity. This prevents actors from directly uploading sensitive data to blocked web-based storage services.

Lateral Movement [TA0008], Privilege Escalation [TA0004], Discovery [TA0007]
Various

Actors have deployed widely-used malware and post-exploitation tools such as Trickbot, Cobalt Strike and the Metasploit framework on victim networks.

These techniques are commonly used to move laterally through victim networks, harvest credentials, elevate privileges, exfiltrate data and deploy additional tools such as encryption binaries.

In addition, actors have used the reconnaissance tool BloodHound [S0521] to map victims’ Active Directory environments.

Network Segmentation [M1030]
Segment networks and restrict or monitor certain types of traffic that are commonly used for lateral movement or reconnaissance. This prevents actors from moving laterally in networks and accessing sensitive systems or data.

See also:

Privileged Account Management [M1026]
Restrict administrative privileges to operating systems and applications based on user duties. This reduces actors’ ability to elevate privilege, move laterally in networks, bypass security controls and access sensitive data.

See Restricting Administrative Privileges for further advice. 

Update Software [M1051]
Patch applications and operating systems and keep them up to date. This prevents actors from exploiting known vulnerabilities in applications and operating systems to elevate privilege, bypass security controls and move laterally in networks.

See System Patching for further advice.

Impact [TA0040]
Data Encrypted for Impact
[T1486]
Actors have used Conti ransomware to encrypt valuable data, disrupt operations, and extort payment from victims.

Backup Data [M1053]
Perform daily backups and keep them offline and encrypted. Test recovery and integrity procedures to make sure data and operations can be quickly and reliably restored. This will allow business operations to be recovered if data is encrypted, reducing the impact of a ransomware attack. Note that backups will not mitigate risks where sensitive data is exfiltrated and released.

See Data backup and restoration for further advice. 

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it