New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Conti Ransomware Data Leak Site

The creators of Conti ransomware have now adopted the same strategy that many other ransomware threat groups have pioneered to extort more money from victims. A data leak site has been developed to publicly name the victim companies that refused to pay for decryption and threaten to leak private data files. In the past, Conti ransomware has been associated with distribution by TrickBot, but it is unclear if the same operators developed this site. This has been building up all summer as Conti has become increasingly popular amongst threat actors. At this time, the site has 26 victims, with some of them being large and well-known organizations. This new site has changed the ransom note that comes with Conti and is left on computers after they have been infected. Instead of receiving a message about emailing the threat actors about recovering the encrypted data, it now says the data will be published if the ransom is not paid. It will be interesting to see what other ransomware threat groups will add this strategy.

Analyst Notes

To defend against ransomware, IT management groups and Managed Service Providers (MSPs) at organizations of all sizes should always keep their software and operating systems up to date with the latest patches. Remote access systems such as Remote Desktop Protocol (RDP) should not be exposed directly to the Internet without the protection of Virtual Private Network (VPN) authentication using at least two factors (a password and a one-time token) to log in. Links and attachments from unknown senders should be looked at with caution. Important data should also be backed up on a regular basis in case it does end up being compromised.