Conti ransomware is an extremely damaging malicious actor due to the speed with which encrypts data and spreads to other systems.
The cyber-crime action is thought to be led by a Russia-based group that goes under the Wizard Spider pseudonym.
Conti Ransomware Modus Operandi
The group is using phishing attacks in order to install the TrickBot and BazarLoader Trojans in order to obtain remote access to the infected machines.
The email used claims to come from a sender the victim trusts and uses a link to point the user to a maliciously loaded document. The document on Google Drive has a malicious payload, and once the document is downloaded a Bazaar backdoor malware connecting the victim’s device to Conti’s command-and-control server will be downloaded as well.
Now that it exists on the compromised machine, Conti encrypts data and then employs a two-step extortion scheme.
Double extortion, also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim’s files. Once the encryption process is complete the attackers will threaten to make the data publicly available unless they get paid.
The scheme starts with