The cybercrime group has disbanded, but still may pose a severe threat to a number of businesses in a different way.
On May 19, 2022, it was discovered by Advanced Intel that hacking group Conti had taken the majority of its infrastructure offline. The risk management company had been tracking Conti for some time, and found that on that day, the hacking group’s website and negotiation services site were both taken down. While this may seem like good news at first glance, the restructure into smaller cybercrime groups may make the members even more dangerous.
This, in large part, is due to smaller groups of tech terrorists allowing the global gang to do even more damage. Conti had already gained a reputation within the healthcare sector in previous attacks, and had posted anti-U.S. sentiment to their blog, making them a target for American authorities.
“It is not surprising that they are trying to avoid being chased by splitting into smaller groups, even more now that the U.S. government has issued a $15 million warrant for information that allows them to capture the heads,” said Ricardo Villadiego, founder & CEO of cybersecurity firm Lumu. “In addition, it is well-known that [Conti] has partnered with other threat actors in the past to achieve their goals. In fact, some members of the Conti operation were part of the REvil and BlackMatter operation.”
Why is Conti more of a threat now?
By splitting up, Conti’s now former members are making it more difficult to pinpoint how and where attacks will come from. This allows the former members to evade potential capture by partnering with existing groups, such as BlackCat or REvil to boost their operations.
Villadiego’s company, Lumu, has a history of dealing with Conti by detecting and eradicating malware used by the group, such as Emotet and Cobalt Strike, before a compromise has happened. He says that the effect these attacks have on organizations can be devastating, with smaller businesses bearing the brunt of attack in not having the necessary security measures or budget to fight off cybercriminals.
“Ransomware attacks have evolved in the last couple of years and that evolution requires specialization,” he said. “Emotet started as a banking trojan and now it is used as a precursor malware as it enables ransomware groups to pave the road, spread through the organizations, and control as many assets as possible so they can increase the disruption that they cause. However, since Conti group is a Ransomware as a Service (Raas) organization, they used to partner with Emotet developers to tailor the malware to each attack, which allowed them to focus on what was important for them—create disruption, exfiltrate information, and get money from their victims.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to avoid being victimized by Conti’s malware
According to Villadiego, time is of the essence when it comes to avoiding falling victim to a cyberattack. By detecting and rooting out the collection of incidents and threats that seemed inoffensive at first but that were not properly or timely addressed. By finding an adversary in the system as early as possible, businesses can avoid a devastating ransomware attack in the process.
“The most effective way to contain the impact is to intentionally monitor the network because regardless of the attack, the adversary must always use the network and a network that is compromised behaves differently than a network that is not,” Villadiego said. “In our case, we help organizations systematically collect and analyze a broad range of network metadata, and this is the gold mine. The network metadata will tell you exactly how and when the adversary is getting in and what they are trying to do so you can employ a precise response against that particular threat.”
Through use of intentional and continuous monitoring, enterprises can ensure they are remaining vigilant when it comes to preventing these types of attacks. Additionally, employing a zero-trust architecture can assist with monitoring, as every item would be verified before being allowed into a network or device.
“If you are able to mitigate and eradicate all contacts with the adversary and do so timely, you are in a much better position to avoid the worst-case-scenario—which is what we so often see on the news. We work with more than 2,500 organizations of all sizes and have found that this is the best strategy,” Villadiego said.