Research Details the Day-by-Day Unfolding of a Human-Operated Conti Attack Using
Fileless Ransomware, Background on the Ransomware’s Behaviors, and Defender Advice
Dubai, UAE: In a new three-part series of articles, Sophos researchers and incident responders unveil what really happens when attackers break into an organization’s network with the intention of stealing data and launching a Conti ransomware attack.
Conti is a human-operated “double extortion” ransomware. The attackers steal data from their targets before encrypting it, and then threaten to expose the stolen information on the “Conti News” site if the organization doesn’t pay the ransom.
Sophos’ 24/7 incident response team, Sophos Rapid Response, was called in to contain, neutralize and investigate the incident, which unfolded over five days from the initial compromise to the recovery of work operations. The series of articles from Sophos reconstructs the attack as it happened day-by-day and provides technical information on Conti’s attack behavior as well as advice for defenders.
The three-part series, The Realities of Conti Ransomware, includes:
- A Conti Ransomware Attack Day-By-Day – Analysis of a Conti attack, including Indicators of Compromise (IoCs) and tactics, techniques and procedures (TTPs)
- Conti Ransomware: Evasive By Nature – A technical overview by SophosLabs researchers
- What to Expect When You’ve Been Hit with Conti Ransomware – An essential guide for IT admins facing the impact of a Conti attack, with advice on what to do immediately and a 12-point checklist to help investigate the attack. The checklist walks IT admins through everything the Conti attackers could do while on the network and the main TTPs they are likely to use. The article includes recommendations for action
“In attacks where humans are at the controls, adversaries can adapt and react to changing situations in real time,” said Peter Mackenzie, manager, Sophos Rapid Response. “In this case, the attackers had simultaneously gained access to two servers, so when the target detected and disabled one of these – and believed they’d stopped the attack in time – the attackers simply switched and continued their attack using the second server. Having a ‘Plan B’ is a common approach for human-led attacks and a reminder that just because some suspicious activity on the network has stopped, it doesn’t mean the attack is over.”
The “Conti News” site has published data stolen from at least 180 victims to date. Sophos has created a victimology profile based on the data published on Conti News (covering around 150 organizations whose data had been published at the time of analysis).
About Sophos:
As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyber threats. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos’ entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single “synchronized security” system accessible through a set of APIs. Sophos has been driving a transition to next-generation cybersecurity, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more, to deliver enterprise-grade protection to any size organization. Sophos sells its products and services exclusively through a global channel of more than 53,000 partners and managed service providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K.
