The dissolution of notorious cyber actors has paved the way for a new cyber threat, according to Sophos research.
Conti ransomware has emerged as an increasingly active cyber threat following the dissolution of DarkSide, REvil and Avaddon, which operated under a ransomware-as-a-service (RaaS) business model.
A new analysis from cyber security company Sophos suggests Conti is exploiting ProxyShell — a collection of vulnerabilities for Microsoft Exchange servers, which enables an actor to bypass authentication and execute code as a privileged user.
Conti attackers are reportedly gaining access to the target's network and set up a remote web shell in under one minute, and are installing a second, backup web shell just three minutes later.
“Within 30 minutes they had generated a complete list of the network's computers, domain controllers, and domain administrators,” Sophos noted.
“Just four hours later, the Conti attackers had obtained the credentials of domain administrator accounts and began executing commands.”
Alarmingly, Sophos found that within 48 hours of initial access, attackers exfiltrated approximately one terabyte of data.
“After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer,” the company added.
Conti attackers were reported to have installed seven backdoors on the network — two web shells, Cobalt Strike and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities).
“Cobalt Strike and AnyDesk were the primary tools used for the remainder of the attack. It was swift and efficient,” Sophos noted.
“Patching is absolutely essential.”
Sophos urged stakeholders to patch and deploy preventative security measures, including anti-ransomware and behavioural and machine learning technology.