The notorious Conti ransomware has been updated with an intriguing capability – destroying the victim’s backups.
Conti ransomware hunts for Veeam privileged users and services
According to a detailed report by Vitali Kremez and Yelisey Boguslavskiy of Advanced Intelligence, Conti hunts for Veeam privileged users and services, and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-backupable.
It is noteworhy that the Advanced Intelligence’s report is based on their actual victim breach intelligence and incident responce, not on a simulated or sandbox environment.
One of the key conclusions of the report is that “backups are a major obstacle for any ransomware operation as they allow the victim to resume business by performing data recovery instead of paying ransom to the criminals.” So, it is not surprising that a ransomware group such as Conti would specifically target backup solutions to ensure ransom payments. Furthermore, Conti group has been “particularly methodical in developing and implementing backup removal techniques.”
How does this tactic work? The ransomware operators use their network intruders or pentesters to ensure access to on-premise and cloud backup tools. In this particular case, Conti is after Veeam privileged users, aiming to further blackmail their victims and leave them with no way to recover their data.
Is there a way to mitigate the risk of destroying backups?
“Maintaining developed protocols of access rights hierarchy, network security, and password hygiene, as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups,” the report noted. The researchers also provided a list with secure backup solutions and mitigations to help victims circumvent ransom payments.
More about Conti Ransomware
Conti is a high-level Russian-speaking ransomware threat actor specializing in double extortion operations where data encryption and data exfiltration happens simultaneously.
Related: Triple Extortion: New Ransomware Trend on the Rise
Previous analysis of the Conti ransomware revealed that it included the ability to use all available CPU threads during its execution. The main engine of the ransomware had been compiled to use 32 CPU threads at once, an ability that is not commonly seen with ransomware.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: