The notorious Conti ransomware has been updated with an intriguing capability – destroying the victim’s backups.
Conti ransomware hunts for Veeam privileged users and services
According to a detailed report by Vitali Kremez and Yelisey Boguslavskiy of Advanced Intelligence, Conti hunts for Veeam privileged users and services, and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-backupable.
It is noteworhy that the Advanced Intelligence’s report is based on their actual victim breach intelligence and incident responce, not on a simulated or sandbox environment.
One of the key conclusions of the report is that “backups are a major obstacle for any ransomware operation as they allow the victim to resume business by performing data recovery instead of paying ransom to the criminals.” So, it is not surprising that a ransomware group such as Conti would specifically target backup solutions to ensure ransom payments. Furthermore, Conti group has been “particularly methodical in developing and implementing backup removal techniques.”
How does this tactic work? The ransomware operators use their network intruders or pentesters to ensure access to on-premise and cloud backup tools. In this particular case, Conti is after Veeam privileged users, aiming to further blackmail their victims and leave them with no way to recover their data.
Is there a way to mitigate the risk of destroying backups?
“Maintaining developed protocols of access rights hierarchy, network security, and password hygiene, as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups,” the report noted. The researchers also provided a list with secure backup solutions and mitigations to help victims circumvent ransom payments.
More about Conti Ransomware
Conti is a high-level Russian-speaking ransomware threat actor specializing in double extortion operations where data encryption and data exfiltration happens simultaneously.
Previous analysis of the Conti ransomware revealed that it included the ability to use all available CPU threads during its execution. The main engine of the ransomware had been compiled to use 32 CPU threads at once, an ability that is not commonly seen with ransomware.