Conti ransomware remains dangerous and can now encrypt Veeam backups

CISA and FBI warns about ransomware that attacked at least 16 networks last year: new tactics ensure failed data recovery

new advisories were released to help organizations mitigate Conti backup collapse tactics

The ransomware, responsible for at least hundreds of incidents, now can access, exfiltrate, remove and even encrypt backups.^[1] Conti ransomware^[2] group targeting healthcare sector and first responder networks. 911 dispatchers, emergency medical services, law enforcement, and other healthcare-related attacks – the Conti campaign affected 290 organizations in the US alone.^[3] Multiple alerts from experts, including Check Point and FBI^[4] warn about the Conti targets and improved tactics.

CISA released the advisory^[5] informing about the increased number of ransomware attacks. The company also offered a particular technical breakdown for organizations that need to mitigate the potential hacks of Conti or other ransomware groups. While this is the ransomware-as-a-service threat, developers have other methods in play. According to the report, instead of paying the affiliates a cut from ransom payments, the group pays virus deployers a particular wage.

Conti ransomware can use various methods and tools that help to infiltrate the system. Spear phishing campaigns, remote monitoring, and remote desktop software are more common among other cryptocurrency extortionists. Other malware can act as a vector too.

Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware — such as TrickBot and IcedID, and/or Cobalt Strike.

Ransomware removing a major obstacle – backups

Data backups generally are the option for victims to resume their systems and recovering affected data instead of paying the ransom that criminals demand. Cybercriminals target companies that offer backup solutions to ensure that victims have no other options but to pay up. Conti group now implements a backup removal tactic. Using skills of the intruder ensuring the cloud backup encryption.

Veeam backup solutions were targeted in the campaign where the CobalStrike beacon got used. The domain admin account takeover helped Conti to force the victims into paying the ransom. Hackers exfiltrated data using the Ngrok application exposing the local server ports. Then impersonating a privileged backup user provides the opportunity to get Veeam backup privileges.^[6]

Conti pursues that the victim will not be able to recover – they lock the system and the backups and make sure the backups are removed.

What can be done to stop Conti backup destruction

Conti uses the additional blackmailing method when obtaining data that became a common technique of the ransomware creators. This is the double extortion that involves file encryption and the aspect of scaring victims into paying by threatening them to release stolen pieces to the public if the ransom amount is not transferred.

These multiple reports note that mitigations and methods helping to avoid major damages and Conti ransomware attacks, in general, is very important. You can train your employees, as an organization and teach them about email security protocols that need to be implemented to avoid ransomware or other malware attacks. Social engineering is one of the more common methods used to convince users into opening malicious emails.

It is also critical to track externally exposed endpoints. Password updates, account security measures for Veeam should be implemented since the account takeover can create major issues. Since decryption tools are the only solution, enabled backups can decrease the ransom demands and can help to proper data recovery without paying. ransomware gets more and more dangerous, threat actors change their tactics and upgrade programs to evade detection and cause damage to affected systems. It is important to evolve in security while threats get more upgrades.