Prolific ransomware group Conti managed to breach 40 victim organizations in a rapid-fire campaign over the course of just a few weeks, according to new research from Group-IB.
The Singapore-based threat intelligence firm claimed in a new report that the “ARMattack” operation ran from November 17 to December 20 2021.
However, it was startlingly effective, with victims mainly concentrated in the US (37%), but also Europe, India and the UAE.
The group’s fastest attack was carried out in exactly three days, from initial access to data encryption, accelerated by the fact that its members work 14-hour days without holidays, according to Group-IB.
Conti continued its impressive record into 2022, compromising and leaking data on a further 156 companies in just the first four months. By Group-IB’s reckoning, it has stolen data from at least 859 organizations over its two-year existence, although the real total of victims is thought to be far higher.
A massive internal data breach earlier this year revealed the inner workings of the group for the first time. It highlighted a strict operational structure, including alphabetized teams featuring developers, pen testers, OSINT specialists, admins and QA and reverse engineer experts.
The group also employed an HR and recruitment lead, someone in charge of its data leak blog, a training specialist and a blockchain lead.
It’s thought it spent at least $6m annually on salaries, tools and services.
However, the group appeared to shut down its operations in May, unplugging its IT infrastructure, including chat servers. The decision may have been taken due to the data leak and/or its decision to publicly back Russia’s war in Ukraine.
Most likely, group members will reform and rebrand, as most ransomware outfits do.
“Ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to thousands of cyber-criminals worldwide with various specializations,” said Ivan Pisarev, head of the Dynamic Malware Analysis Team at Group-IB.
“In this industry, Conti is a notorious player that has in fact created an ‘IT company’ whose goal is to extort large sums. The group will continue its operations, either on its own or with the help of its ‘subsidiary’ projects.” Read more: https://bit.ly/3A72hSQ
You can also read this: Conti Leaks Reveal Ransomware Gang’s Interest in Firmware-based Attacks