Computer Security Beware: Conti Ransomware Adds New Tools to Wipe Backups

Beware: Conti Ransomware Adds New Tools to Wipe Backups

Beware: Conti Ransomware Adds New Tools to Wipe Backups Image

Researchers with the security firm Advanced Intelligence published a recent report on the notorious Conti ransomware. The report focuses on the ransomware's new abilities to destroy system backups.

The Conti ransomware gang is notorious for being one of the most dangerous cybercriminal organizations. The Advanced Intelligence research team calls the gang "ruthless" in the report and highlights the fact that in the past, the Conti gang attacked several entities where the consequences of the attacks could have been potentially fatal. This includes various medical and healthcare institutions and organizations, including hospitals and medical emergency centers.

The report focuses its attention on the way the Conti gang recruits its members as well. One of the most sought-after skills when it comes to approving affiliates under the gang's 'ransomware-as-a-service' model is the ability to wipe system backups quickly and efficiently.

Naturally, having no backups and being unable to restore your ransomware-infected network to working order is the biggest motivator to actually pay the ransom. This is why Conti is so focused on finding affiliates who are good at destroying backups - this leads to higher odds of receiving payment following the attack.

The Conti gang seems to be particularly interested in destroying backup data created and stored using applications from one data security company called Veeam.

While the attack vector and the deployment of tools on part of the Conti gang is a pretty standard procedure, at one point Conti's hackers obtain a privileged backup user account, at which point there is nothing that can really be done to prevent the backup wipe.

Veeam issued a formal statement in response to the report and stated that there is really nothing that the company or the software can do once the hackers obtain access to the domain admin account. The company further advised its customers to run the backup software on a separate domain, so this sort of situation where the compromise of the primary domain leads to backup wipes as well can be avoided.

The Conti gang is also known for using double extortion tactics – something that an increasing number of ransomware actors have picked up on. This involves both encrypting the victim network and threatening to leak sensitive information exfiltrated during the attack.