Sophos shows how a five-day Conti ransomware attack unfolds day-by-day

In a new three-part series of articles, Sophos (global leader in next-generation cybersecurity) researchers and incident responders unveil what really happens when attackers break into an organization’s network with the intention of stealing data and launching a Conti ransomware attack.

Conti is a human-operated “double extortion” ransomware. The attackers steal data from their targets before encrypting it, and then threaten to expose the stolen information on the “Conti News” site if the organization doesn’t pay the ransom.

Sophos’ 24/7 incident response team, Sophos Rapid Response, was called in to contain, neutralize and investigate the incident, which unfolded over five days from the initial compromise to the recovery of work operations. The series of articles from Sophos reconstructs the attack as it happened day-by-day and provides technical information on Conti’s attack behavior as well as advice for defenders.

The three-part series, The Realities of Conti Ransomware, includes:

  • A Conti Ransomware Attack Day-By-Day – Analysis of a Conti attack, including Indicators of Compromise (IoCs) and tactics, techniques and procedures (TTPs)

  • Conti Ransomware: Evasive By Nature – A technical overview by SophosLabs researchers

  • What to Expect When You’ve Been Hit with Conti Ransomware – An essential guide for IT admins facing the impact of a Conti attack, with advice on what to do immediately and a 12-point checklist to help investigate the attack. The checklist walks IT admins through everything the Conti attackers could do while on the network and the main TTPs they are likely to use. The article includes recommendations for action

“In attacks where humans are at the controls, adversaries can adapt and react to changing situations in real time,” said Peter Mackenzie, manager, Sophos Rapid Response. “In this case, the attackers had simultaneously gained access to two servers, so when the target detected and disabled one of these – and believed they’d stopped the attack in time – the attackers simply switched and continued their attack using the second server. Having a ‘Plan B’ is a common approach for human-led attacks and a reminder that just because some suspicious activity on the network has stopped, it doesn’t mean the attack is over.”

The “Conti News” site has published data stolen from at least 180 victims to date. Sophos has created a victimology profile based on the data published on Conti News (covering around 150 organizations whose data had been published at the time of analysis).