Ransomware linked to hundreds of cases is now believed to be able to view, take information, delete, and even destroy backup data. Conti has been known to target the healthcare industry and first responder systems. It has exploited around 290 institutions in the United States alone, including emergency medical services, police enforcement, and other healthcare-related groups. Unfortunately, Conti is now set to infiltrate backups altogether.
This invasive ransomware threat actor is a high-level Russian-speaking cybercriminal specializing in double extortion operations. It can do data encryption and exfiltration that can take place at the same time. Previous analysis of the Conti ransomware showed its capability to use all available CPU threads throughout its operation. In addition, the ransomware’s core engine was constructed to run on 32 CPU threads simultaneously, which is a feature that is not frequently seen in ransomware.
How Conti Plays Out Backup Infiltration
Backups are a significant deterrent to ransomware operations since they enable the victim to restart company operations by undertaking data recovery rather than paying a ransom to the attackers. Nevertheless, it should be no surprise that a ransomware gang like Conti would mainly target backup systems to guarantee that ransom payments are made.
Conti group has been very systematic in designing and deploying backup removal solutions as per the observation of cybersecurity experts. They are now explicitly searching for affiliates that are incredibly skilled at erasing victim backups from their systems. This criminal organization concentrates its efforts on a backup generation and management program developed by the software business Veeam.
Conti is now set to infiltrate backups and employs various tactics that have grown commonplace in the ransomware field when it comes to penetrating networks. Various genuine tools, like Cobalt Strike beacons and other lawful tools, are used in attacks to obtain access to a compromised network and maintain its foothold. In addition, once Conti operators get access to a backup user account with elevated privileges, they are free to do anything they want with the backups they have infiltrated.
In a statement, Veeam warned that if the ransomware operators successfully seize control of a privileged domain admin account, there is nothing in the world that can prevent them from wiping out the victim’s backup data. Although there is no way to halt this with patching or new features, Veeam advises that all of its customers run the backup program from a second domain so that compromising the primary domain does not signal death for the backups.
The Existence of Backups Is Insufficient
Ransomware first appeared to be breaching firewalls and encrypting data, leading experts and hardware vendors to recommend backup as the best recovery method. Many firms, businesses, and organizations have depended on this as part of their cyber resilience plan in the past. However, a disturbing pattern has emerged with increasingly sophisticated ransomware attacks – destroying backups, crippling enterprises, and increasing ransom demands.
When a ransomware assault occurs, organizations are overconfident in the integrity of their backups. It gives the ability to utilize them to restore data when they are attacked. On the other hand, cybercriminals do not want enterprises to recover quickly and easily; therefore, they have focused their attention on backups, corrupting, encrypting, or destroying them to make it very difficult to conduct a reliable and speedy recovery procedure. That gives them the ability to demand more harsh ransoms.
Backups are no longer sufficient in today’s world, as they are now susceptible to compromise. When it comes to recovering from a ransomware attack, relying on backups is no longer feasible. Instead, it is vital to check the integrity of data in backups and the backups themselves to have confidence that you can implement a speedy and reliable recovery procedure.
Although it is essential to start with backups, it is also essential to handle the inflow of sophisticated assaults that have already been seen and will continue to become the industry standard for ransomware in the coming months. It should offer the isolation required to protect against cyberattacks, the immutability required to protect against destructive threats, and, most critically, the intelligence necessary to determine whether or not the data has already been compromised.
The Best Way to Prevent Conti Backup Infiltration
Conti employs a different blackmailing tactic while gathering data, a typical strategy among ransomware authors. That is a kind of double extortion that includes both the act of encrypting files and the act of frightening victims into paying by threatening to reveal stolen parts to the public if the ransom payment is not paid.
Mitigations and solutions that may assist in preventing catastrophic damages are vital to have in place. As a business, you may educate and train your staff on email security measures that you must follow to prevent being targeted by ransomware or other malicious software assaults. To persuade consumers to take precautions in opening fraudulent emails and spreading awareness on social engineering can be some of the employed techniques to be safe as Conti is set to infiltrate backups.
It is also vital to keep track of endpoints that are exposed to the outside world. Password changes and account security procedures should be undertaken due to the possibility of account takeover causing significant problems. Because decryption tools are the only answer, enabling backups may help reduce ransom demands while assisting in proper data recovery without the need to pay. The risk of ransomware increases as threat actors vary their techniques and enhance their programs to avoid detection and harm vulnerable systems. While threats continue to develop, it is critical to adapt to security practices.
References
https://threatpost.com/conti-ransomware-backups/175114/
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
