In May, we got to know that the Conti ransomware group’s infrastructure was shut down and its members joined other ransomware gangs. Now, researchers found that the gang’s affiliates compromised more than 40 organizations in a new hacking campaign and that too in just over a month.

Diving into details

The campaign is named ARMattack and has been described as one of Conti’s most productive and effective campaigns.
  • It was conducted between November 17 and December 20, 2021, and compromised over 40 companies across the world.
  • The fastest attack was executed in only three days - from penetrating the system to encrypting it.
  • Furthermore, the attackers used both Hive and Conti ransomware.
  • While the victims were across various geographies, 37% of attacks were aimed at U.S. organizations.
  • While in April 2022, Conti published the data of 46 victims in just a month on its leak site, the dates of compromise are unknown.

Why this matters

  • On the basis of attack frequency, Conti ranks second, right after LockBit, according to data from Q1 2022.
  • In just two years, the ransomware actor published the data of 859 victims, although the numbers may be more. The victims include government agencies, organizations, and an entire country - Costa Rica.
  • The first attack against Costa Rica caused a state of national emergency, in which 27 government entities were targeted. The second attack sent the nation’s healthcare system into a downward spiral.
  • Regardless of source code and chat leaks, Conti has continued to be a profitable business.

Latest update

On Wednesday, Conti finally shut down its last public-facing infrastructure, consisting of two Tor servers used to negotiate with victims and leak data. Nevertheless, Conti is not really gone as only the brand has folded but the syndicate is still active.

The bottom line

Time and again, Conti has proven itself to be a massive threat to the cybersecurity landscape. The gang has created a scalable and sustainable ransomware business from both managerial and technical perspectives. Therefore, it is imperative that security experts are aware of the group’s TTPs and keep monitoring its activities.
Cyware Publisher