Dirty Tricks: The Latest in Ransomware Tactics

Criminal ransomware techniques have evolved in the last few years and are now even harder to detect – and more damaging if they get through network defenses.

One particular insidious type of new ransomware is from a gang known as Conti. The malware has so far mainly impacted victims in North America and Western Europe.

Researchers at Sophos are keeping a close eye on Conti. Chester Wisniewski, a principal research scientist with Sophos, says the techniques cyber criminals use follow similar steps to many previous types of ransomware.

“There is a bit of a template to this,” said Wisniewski. “Abusing remote access to get a foothold, taking advantage of unpatched VPN servers.”

But once inside, Wisniewski says Conti attacks raise the stakes and are particularly alarming because the attacks use a technique that pushes the malware directly into memory. It becomes very evasive and hard to detect. There is no artifact of the ransomware left behind for a malware analyst to discover and study, according to researchers.

The Conti gang uses a set of tools that not only hides the malware, but also conceals the Internet locations of the attack. This prevents researchers from obtaining a copy of the malware, meaning they are forced to essentially “fly blind” if they need to respond to an attack.

The Conti gang uses other dirty tricks when they gain a foothold, including double extortion. They demand a ransom in exchange for the key to unlock systems, but also leak some stolen corporate data – and then demand more ransom in exchange for keeping the rest of the stolen data private.

Here are some other techniques used by Conti, according to Sophos researchers.

• Attackers lurk for weeks

Because the malware is so stealthy and hard to detect, the humans behind Conti will break in and lurk for weeks before they make their presence known. This gives them time to prepare and snoop around in order to steal as much information as possible to maximize their ransom demand.

• Attackers download and install backdoors

Attackers will come and go on the network and install additional tools that allow them to set up folders and directories to collect and store stolen information. Some of these backdoors even appear to be legitimate applications to an administrator’s eye.

• Attackers exfiltrate corporate data

The attackers steal corporate information while they move around the network and then threaten to publish the data on a so-called “leak site” for anybody to download. Once this happens, the victim can find themselves exploited for years – as this stolen data is often then sold to other attackers for use in future attacks.

• Attackers encrypt, delete, reset, or uninstall backups

One of the more common recommendations for recovering from a ransomware attack is to ensure you have backups. But Conti attackers find online versions of backup files and delete or encrypt them so they can’t be used. The takeaway here is that it is paramount to store backups offline.

How to stay protected

Since ransomware keeps getting dirtier, and harder to detect, consider these best practices to minimize your risk of attack:

• Use multi-factor authentication (MFA)
• Monitor for the abuse of administrative tools and privileges
• Encourage employees to use complex passwords, managed through a password manager
• Be mindful of access and give user accounts and administrators only the access rights they need
• Patch regularly and stay up to date

Sophos can assist you with your ransomware mitigation efforts. Find out how by visiting Sophos.com.