As a regular habit, I like to head on over to my favorite search engine and type in “ransomware”.  Today my search turned up Conti ransomware. As it turns out, there is always something new in the news – even from ransomware strains that have been around for quite a while.
Conti ransomware has once again been in the news for their attack on the Costa Rican government.  In light of this, let’s take a closer look at some of the characteristics of this ransomware strain.  We’ll also take a closer look at how this particular ransomware group operates.

How Conti Ransomware Operates

Conti ransomware has been seen since 2020.  Like many other variants of ransomware, they of course first seek to encrypt data.  Their particular ransomware uses 32 CPU threads to encrypt files quickly.  They were also one of the first groups to use the double extortion method – not only encrypting data, but also stealing it to leak it if the ransom was not paid.
While Conti was originality known for targeting Windows systems (and disabling VSS was a hallmark feature), they have also developed a Linux variant, which of course means they are also targeting ESXi.
Like many other ransomware group, Conti operates with a Ransomware as a Service model, with associates getting a portion of the ransom after they have gotten into an organization and deployed it.

The Conti Leaks

In late 2021, the playbooks Conti attackers use was leaked, and of course I read through it.  The terrifying thing is the Conti playbook is more information than many people recieve when starting a new technical role.  This just proves the barrier to entry is so very low – the instructions were easy to follow even for people who do not know their way intimately around IT systems.
In 2022 it became obvious that ransomware groups aren’t immune to the pitfalls of the organizations they target.  Earlier this year, there was a massive leak of internal chat logs from the organization, which many are calling the Panama Papers of Ransomware.
From the various Conti leaks we learned interesting information such as the fact that Conti has a HR department, does employee performance reviews, and even has an employee of the month.
One thing to remember is that these groups are sophisticated, perhaps more sophisticated than many IT organizations out there.  Their sole purpose is to get in and deploy their payloads for activation, and so that they can begin to negotiate a ransom.  Many IT organizations still struggle with daily operations, much less defending their assets.

The Conti Costa Rica Attack

Costa Rica declared a state of emergency  after a Conti ransomware attack, starting on April 18.  Their first target was the Ministry of Finance, at which point they set a 10 million dollar ransom in exchange for not releasing the information stolen.  Costa Rica did not pay, and data has since been released.  In response, the United States government is offering rewards of up to 10 million dollars for information about Conti.

The Same Ransomware Story

The story remains very similar in the ransomware write ups we have been taking a look at.
The barrier to entry to wreak havoc is very low, an affiliate of a ransomware group just needs to get in somehow, before they can follow step by step instructions on how to deploy ransomware and let the negotiations begin.  When it comes to organizations preparing for the inevitable ransomware attack, it really is a multifaceted approach – there is not one single thing an organization can do to fully prepare themselves.
The best thing an organization can do to get ready is put in the security measures that make sense for their organization and their business to try and reduce some of the risk, focusing on early identification and detection of a ransomware attack, and plan on how they will recover the impacted systems.