The Conti cybercrime group has become extremely structured and runs one of the most aggressive ransomware operations. As a result, affiliates were able to breach more than 40 firms in just over a month. The hacking operation was known as ARMattack by security researchers, who called it one of the group’s “most productive” and “extremely effective.”
According to analysts at cybersecurity firm Group-IB, one of Conti’s “most productive campaigns” reportedly took place between November 17 and December 20, 2021. During incident response actions, they learned about the group’s month-long hacking campaign and gave it the moniker ARMattack based on a domain name that revealed the gang’s infrastructure. During the operation, Conti affiliates were able to compromise more than 40 firms in diverse industries over a broad range of geographies, with an emphasis on American-based businesses.
According to a Group-IB spokesperson, the ARMattack happened relatively quickly, and the report from the firm pertains to businesses whose networks were hacked. It’s unknown whether any of the victims complied with the attacker’s demand for a ransom. It is important to note that although the Conti leak site revealed information for up to 46 victims in a single month (for example, April 2022), the breach date is still unknown. Data from Group-IB shows that the time it took Conti’s shortest successful attempt to encrypt the organization’s computers was three days.
“After gaining access to a company’s infrastructure, the threat actors exfiltrate specific documents (most often to determine what organization they are dealing with) and look for files containing passwords (both plaintext and encrypted). Lastly, after acquiring all the necessary privileges and gaining access to all the devices they are interested in, the hackers deploy ransomware to all the devices and run it,” said Group-IB.
Group-IB has been examining Conti’s “working hours” using information collected from public sources, such as the gang’s leaked internal communications. The researchers claim that Conti members maintain an average daily activity level of 14 hours, except for the New Year’s break, which explains their effectiveness. Group-IB stated that the group begins working about midday (GMT+3, Moscow time), and they finish up around nine o’clock. Members of Conti are probably spread out over several time zones.
The researchers also point out that the organization operates as a real company, with people assigned to hiring, research and development, managing OSINT jobs, and offering customer support. Monitoring Windows updates, examining the changes brought about by new patches, finding zero-day vulnerabilities that may be utilized in attacks, and exploiting recently published security weaknesses are all part of Conti’s attempts to remain ahead of the game.
“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to thousands of cybercriminals worldwide with various specializations,” said Ivan Pisarev, the Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence team.