Research Details the Day-by-Day Unfolding of a Human-Operated Conti Attack Using Fileless Ransomware, Background on the Ransomware’s Behaviors, and Defender Advice
In a new three-part series of articles, Sophos researchers and incident responders unveil what really happens when attackers break into an organization’s network with the intention of stealing data and launching a Conti ransomware attack.
Conti is a human-operated “double extortion” ransomware. The attackers steal data from their targets before encrypting it, and then threaten to expose the stolen information on the “Conti News” site if the organization doesn’t pay the ransom.
Sophos’ 24/7 incident response team, Sophos Rapid Response, was called in to contain, neutralize and investigate the incident, which unfolded over five days from the initial compromise to the recovery of work operations. The series of articles from Sophos reconstructs the attack as it happened day-by-day and provides technical information on Conti’s attack behavior as well as advice for defenders.
The three-part series, The Realities of Conti Ransomware, includes:
- A Conti Ransomware Attack Day-By-Day – Analysis of a Conti attack, including Indicators of Compromise (IoCs) and tactics, techniques and procedures (TTPs)
- Conti Ransomware: Evasive By Nature – A technical overview by SophosLabs researchers
- What to Expect When You’ve Been Hit with Conti Ransomware – An essential guide for IT admins facing the impact of a Conti attack, with advice on what to do immediately and a 12-point checklist to help investigate the attack. The checklist walks IT admins through everything the Conti attackers could do while on the network and the main TTPs they are likely to use. The article includes recommendations for action
The “Conti News” site has published data stolen from at least 180 victims to date. Sophos has created a victimology profile based on the data published on Conti News (covering around 150 organizations whose data had been published at the time of analysis).
