Written by Ferhat Dikbiyik
Additional Contributor Yavuz Han
Edited by Haley Williams

The Conti ransomware gang is a serious threat actor, with more than 400 corporate victims, and ransom demands as high as $25 million. The group is also very active, recently posting more than 10 victims in just one day (September 9, 2021). It appears that even the recent leak of their playbook in August has not slowed them down.

 

Image: Conti’s blog on the deep web showing some of its victims (Note: sensitive information blurred by the Black Kite Research Team.)

Manufacturing is Conti’s latest target

Conti doesn’t seem to discriminate by industry, hitting hospitals, government organizations and law enforcement agencies. But in the last 30 days, almost half of its 24 victims have been manufacturers, ranging from drilling equipment to electronic devices, automotive to metals. The victims are mostly US companies (42%), with the rest dispersed across the UK, Mexico, Ireland, South Africa, Australia, Indonesia, Italy, Germany, and Spain.

 

Conti’s tactics are ruthless, leaking bits of stolen data to extort more ransom from its victims.

The average Ransomware Susceptibility Index®: 0.43

The Ransomware Susceptibility Index® (RSI™) is a metric between 0.0 and 1.0 developed by Black Kite that shows the likelihood of a ransomware attack on an organization. Black Kite continuously monitors companies and organizations all around the world and provides cyber risk assessment metrics like RSI™. The Black Kite RSI™ follows a process of inspecting, transforming, and modeling data collected from a variety of OSINT sources (internet-wide scanners, hacker forums, the deep/dark web, and more). Using the data and machine learning, RSI™ identifies the correlation between control items to provide approximations. While RSI™ checks the common indicators of a ransomware attack such as critical vulnerabilities, open RDP/SMB ports, leaked credentials, etc., and takes certain factors into account (e.g., size of the company), it doesn’t have visibility into certain indicators such as insider threats.

The Black Kite Research Team analyzed the RSI™ values of the recent Conti victims. The average RSI™ value for these organizations is 0.43. Black Kite research shows that an RSI™ score of more than 0.4 is alarming and 0.6 is critical. Fourteen victims have an RSI™ score of 0.4 or higher, while 5 victims have RSI™ scores close to or above 0.6.

 

Conti’s favorite access methods

According to the leaked Conti Playbook, the gang usually exploits critical vulnerabilities such as recent Microsoft vulnerabilities (MS17_010 and PrintNightmate (tracked as CVE-2021-34527 )). And it’s only a matter of time before they exploit the latest Microsoft zero-day vulnerability CVE-2021-40444 because it’s found in such a large number of Microsoft products used throughout the enterprise. (See Microsoft’s security update from September 14, 2021.)

Conti also takes advantage of older but still-unpatched vulnerabilities such as FortiNet CVE-2018-13379 and CVE-2018-13374. The latest leak of Fortinet VPN credentials is also an attractive Conti target if not patched quickly.

Ransomware groups like Conti not only exploit vulnerabilities but also take advantage of leaked credentials, phishing attacks, open RDP ports, and more to breach a company’s systems. Given the damage these exploits cause, organizations must take a proactive (vs reactive) risk management approach to be better prepared for ransomware attempts.


How can you be proactive?

Know your susceptibility to a ransomware attack so you can take action to fix issues and plan for potential attacks. Contact us for your free RSI™ score.