Conti ransomware is an infamous Ransomware-as-a-Service (RaaS) developed by the Russian cybercriminal group “Wizard Spider.” According to statistics from the FBI, Conti ransomware has extracted $150 million from over 1,000 victims since it was first used in 2019. Currently, Wizard Spider no longer has its complex infrastructure in place, and IT security experts consider the group to have dissolved in May 2022. Tensions and infighting due to differing political views regarding the war between Russia and Ukraine led to a large leak that further fragmented Wizard Spider.
Conti has been responsible for several high-profile attacks in North America and Europe across multiple industries, including healthcare, education, and financial services. One of the biggest attacks was on the University of Utah in July 2020. The university paid over $450,000 to regain access to critical systems.
Another large-scale attack occurred in May 2021, when hackers infected the Irish Health Service Executive (HSE) and demanded a $20 million ransom. The HSE attack caused massive disruptions to Ireland’s national healthcare system.
Create and implement a robust IT security strategy with our beginner’s guide.
How does Conti ransomware work?
As a RaaS, Wizard Spider’s operatives manage the malware while external affiliates are paid to use the ransomware to exploit vulnerabilities. Amateurs and less technically skilled hackers can also pay to use Conti ransomware to execute complex ransomware attacks on organizations. Conti ransomware works faster than most ransomware due to its unique implementation of AES-256.
Wizard Spider’s affiliates and hackers employ a multifaceted approach to infiltrate systems that include:
-
Phishing
Through phishing and spearphishing techniques, hackers try to trick users into granting access to their endpoint devices by tricking them with malicious links. Conti ransomware typically uses drive-by downloads to execute Bazar backdoor or IcedID trojan.
-
Exploiting vulnerabilities
Conti can exploit security vulnerabilities in software to gain unauthorized access to an endpoint device.
-
Remote Desktop Protocol (RDP) exploits
Conti operators can remote access and control systems by using stolen or weak RDP credentials.
Once inside, Conti ransomware leverages advanced tools like Cobalt Strike to move laterally within networks, allowing them to steal sensitive information and then encrypt it. Before encryption, hackers typically also extract the data and then demand a ransom for both decrypting the data and preventing its public release. This double extortion technique heavily pressures victims to pay the ransom demands.
How to protect against Conti ransomware
1. Employ reputable anti-virus and anti-malware
Utilizing reputable anti-virus and anti-malware software helps strengthen endpoint security. To further improve your security posture, consider integrating anti-virus and anti-malware with real-time remote monitoring tools and custom alerts. This will make it easier for IT security professionals to detect ransomware quickly and act right away to solve issues and mitigate disruptions caused by a cyberattack.
2. Educate employees
Since phishing is a common vector of attack for Conti ransomware, one of the best methods to prevent an attack is to train users to identify fake emails and malicious links.
3. Patch management
Another standard method of attack is through software vulnerabilities. Typically, these vulnerabilities are patched quickly, so keeping software and operating systems (OS) up-to-date helps mitigate this risk. Automated patch management software allows IT teams to remove the risk of human error that can lead to missed patches and schedule regular updates. By employing patch management best practices, IT teams can ensure that applications and OSes will always have the latest security patches, hotfixes, and updates downloaded and installed.
4. Use backup software to protect data.
Another vital tool to protect against data loss from ransomware attacks is to regularly back up sensitive data by utilizing backup software. Data backup and recovery allow IT teams to create copies of specific files or even entire systems and protect them in transit and at rest in secure storage for easy retrieval in the event that ransomware encrypts the data. Some backup software providers, such as NinjaOne, specialize in ransomware recovery, ensuring rapid data restoration and business continuity.
Take a proactive approach to defending sensitive data from ransomware attacks with NinjaOne’s backup and patch management tools.
Conclusion
While Wizard Spider, as a group, has resolved the issue, Conti ransomware and similar malware continue to pose a dangerous and costly threat to organizations worldwide. Implementing cybersecurity measures such as multifactor authentication and anti-malware software helps protect businesses from these ransomware attacks. However, for more comprehensive coverage against Conti ransomware and other ransomware attacks, IT teams should also look into employing reliable backup and patch management software. Some solutions, such as NinjaOne RMM, consolidate all the tools IT security professionals need to combat ransomware attacks into a centralized dashboard.
Sign up for a 14-day free trial and see how NinjaOne integrates industry-leading antivirus solutions with robust remote monitoring and management, patch management, and backup tools in a user-friendly single pane of glass.
