Ransomware: Conti gang is still in business, despite its own massive data leak

The internal dealings of Conti ransomware gang were published online, detailing how the operation works. But it hasn't slowed them down.
Written by Danny Palmer, Senior Writer

The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. 

One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key. 

Like many of the notorious cyber criminal ransomware operations, many cybersecurity experts believe that Conti runs out of Russia – and in February, members of Conti came out in support of the Russian invasion of Ukraine

Shortly after that, the Conti leaks emerged, identifying individuals involved in the gang and posting daily chat logs, hiring practices and other inner workings of the outfit. But the public disclosure of behind-the-scenes operations at Conti doesn't appear to have stopped the gang –  cybersecurity researchers at NCC Group have detailed how cyber attacks have continued since the leaks. 

The attackers use a number of initial access vectors to gain a foothold onto networks, including phishing emails containing Qakbot trojan malware and exploiting vulnerable Microsoft Exchange Servers. Other techniques include the use of publicly available exploits, including vulnerabilities in VPN services and Log4J java libraries. The attackers also send phishing emails using legitimate compromised accounts

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Along with encrypting networks and demanding payment for the decryption key, one of the key hallmarks of Conti ransomware attacks is stealing sensitive data from victims and threatening to publish it if the ransom isn't paid.  

Perhaps unsurprisingly, being the victim of information leaks themselves hasn't made Conti has changed their tactics, and they're continuing to steal substantial amounts of data from victims to use as extra leverage in double extortion attacks. 

Conti and other ransomware groups are still a threat to businesses and everyday services, but there are measures which can be taken to help avoid becoming victim to a devastating cyber attack.  

As detailed by researchers, many Conti campaigns will exploit unpatched vulnerabilities to gain initial access to networks, so businesses should ensure that security patches for known vulnerabilities are applied as swiftly as possible to help block potential intrusions. 

In addition to this, robust password policies should be enforced and multi-factor authentication rolled out to all users. 

Information security teams should also monitor networks for potentially suspicious activity, because even if attackers are inside the network, if they're detected before a ransomware attack is triggered, it can be prevented


Editorial standards