Taking a Look into Conti that Just Launched Its Data Leak Site

What happened recently?

Some history your way

• Since early 2020, most targeted entities are located in the U.S., with most targeted sectors being government (Port Lavaca City Hall, Durham Police Station) and manufacturing (EMCOR, EVRAZ, Electronic Warfare Associates), which suggests the attackers are interested in government and military-related organizations.
• Other targeted sectors range from education (Gadsden Independent School District, Havre Public Schools Board of Trustees), information technology (Finastra), to legal (Mississippi Center for Legal Services).

Modus operandi

• The attackers use phishing emails, malicious links, and websites to infect the targeted entity’s employees with TrickBot and Emotet. Then, these bot starts spreading laterally inside the network and finally deploy the ransomware. 
• The encryption scheme used by Ryuk is built for small-scale operations, specifically targeting crucial assets and resources, suggesting that its operators use it for extensively tailored attacks.
• The actors use modules from the Cobalt Strike threat emulation software, DACheck script, and PsExec tool.
• In one incident, the ransomware was deployed after an average two-week infection of Trickbot trojan.

The backstory

• First appeared in August 2018, the sophisticated ransomware is believed to be the creation of “Wizard Spider,” a cybercriminal group based in Russia. 
• Ryuk is based on Hermes ransomware, which was used by the North Korean Lazarus Group against the Taiwanese Far Eastern International Bank (FEIB) in October 2017.
• Experts believe that the Russian group bought Hermes’ source code from the dark web and upgraded it with a new version called “Ryuk.”

Key takeaways