Threat researchers believe the Conti ransomware group has taken over the baton from DarkSide, REvil and Avaddon, raaS groups

Due to the dissolution of notorious Raas threat groups DarkSide, REvil and Avaddon, the Conti ransomware gang and ProxyShell vulnerabilities have taken over as active threats at the moment.

Affiliates of the shuttered gangs have been looking for a new operator, and researchers from Sophos suspect Conti is a contender due to the recent high levels of activity observed.

Worse, researchers have found evidence that Conti is now leveraging ProxyShell, another ‘high alert’ threat that evolved from the ProxyLogon attack that is easy to exploit and is currently a mainstay in adversary playbooks, including those deploying LockFile ransomware. 

In view of this trend, the firm’s experts are urgently recommending that organizations with Exchange Server should update and patch servers as soon as possible, said Peter Mackenzie, an incident response manager. He highlighted the speed at which Conti attacks have been taking place:

  • Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, Conti attackers recently gained access to the target’s network and set up a remote web shell in under one minute.
  • Three minutes later, the attackers had installed a second, backup web shell in case the first got discovered.
  • Within 30 minutes the attackers had generated a complete list of the network’s computers, domain controllers, and domain administrators.
  • Just four hours later, the Conti attackers had obtained the credentials of domain administrator accounts and begun executing commands. 
  • Within 48 hours of gaining that initial access, the attackers had exfiltrated about one Terabyte of data.
  • After five days, they had deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.

Over the course of the intrusion, the attackers had installed two web shells, Cobalt Strike and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities). They used the web shells (installed early on) mainly for initial access; Cobalt Strike and AnyDesk were the primary tools used for the remainder of the attack.

“It was swift and efficient. Patching is absolutely essential,” Mackenzie said.