The Conti cybercrime organization conducts one of the most active ransomware operations and has become highly organized, with affiliates hacking more than 40 firms in less than a month.
The hacking effort was nicknamed ARMattack by security researchers, who regarded it as one of the group’s “most productive” and “very effective.”
Rapid-fire ARMattack campaign
According to a study supplied by analysts, one of Conti’s “most fruitful campaigns” happened last year, from November 17 and December 20, 2021.
During incident response actions, they identified the group’s month-long hacking campaign and named it ARMattack, based on a domain name that disclosed the gang’s infrastructure.
During the campaign, Conti affiliates compromised around 40 organizations in diverse fields of activity functioning over a large geographical but with an emphasis on enterprises situated in the United States.
According to a Group-IB spokeswoman, the ARMattack was relatively quick, and the company’s report pertains to firms that had their networks hacked. It is unknown whether any of the victims paid the attacker’s ransom.
While the Conti leak site exposed data for up to 46 victims in only one month (e.g., April 2022), the breach date remains unknown.
Conti’s shortest successful assault, according to Group-IB statistics, lasted only three days from first access time to encrypting the organization’s computers.
Hours of “Office”
Group-IB has been examining Conti’s “working hours” using data acquired from public sources, such as the gang’s leaked internal discussions.
Conti members, according to the researchers, are active for roughly 14 hours every day, except for the New Year’s vacation, a timetable that accounts for their efficiency.
According to Group-IB, the group begins working about midday (GMT+3, Moscow time) and ends around 9 p.m. Conti members are most likely spread out over various time zones.
Besides, the researchers emphasize that the organization operates similarly to a genuine company, with employees charged with hiring workers, doing research and development, performing OSINT jobs, and providing customer care.
Conti’s attempts to remain ahead of the game include monitoring Windows updates and studying the changes from new patches, as well as uncovering zero-day vulnerabilities that may be utilized in attacks and exploiting newly published security holes.
Conti is presently one of the top three ransomware gangs in terms of assault frequency, behind only LockBit this year, according to statistics collected in the first quarter of 2022.
Since the gang’s public exposure, the number of victims infected with Conti ransomware who did not pay the threat actor has grown to 859, however the true number is likely much higher because the tally is based only on data disclosed on the group’s leak site.
According to this figure, Conti has been exposing data taken from at least 35 firms that did not pay a ransom per month on average.
We heard about the initial Conti ransomware assaults in late December 2019. Initial test versions of the virus have been tracked until November 2019, according to Group-IB.
One of the most notable Conti assaults recently happened, encrypting systems from various federal agencies in Costa Rica, prompting the country’s president to proclaim a state of emergency.
Despite recent conversation and source code disclosures, Conti continues to operate a profitable business that shows no signs of impending collapse.
Working with other ransomware operators (HelloKitty, AvosLocker, Hive, BlackCat, BlackByte, LockBit) and purchasing cybercriminal enterprises such as TrickBot, the organization has steadily extended its activities.
Despite these efforts to promote their business, the Conti team leaders revealed in May that the brand had been discontinued and that their backend infrastructure had been decommissioned.
While the payment and data leak sites were still active, experts claim that this was done to give the impression that everything was normal.
The syndicate, however, continued to exist, with Conti leadership collaborating with lesser ransomware gangs for operations in an effort to fracture into tiny cells rather than rebranding into a larger organization.
As a result, skilled hackers would spread to new ransomware firms while remaining loyal to the Conti syndicate.
Conti has grown to be such a significant danger that the US government is offering a reward of up to $15 million for information leading to the identify and location of the group’s leaders. The conti ransomware is so rampant. As ordinary people, we can only do our best to data protection. First, we should do a good job of data backup. Use the best backup software on the market for virtual machine data backup. In addition, if data has been leaked, virtual machines can also be used for data disaster recovery.