🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoThe group has actively targeted the healthcare industry and first responder networks when COVID was at its peak. The following information is obtained from the Conti ransomware tor handle.
Based on the past activity of the group, they target the Retail and Manufacturing sector extensively, largely focusing on American entities.
Ransoms are tailored to victims based on their net worth, very recent ransom demanded by the group has gone as high as 25 million USD.
Country |
Victims |
Bahamas |
1 |
Canada |
14 |
USA |
128 |
Mexico |
1 |
UK |
11 |
Germany |
4 |
Italy |
2 |
India |
1 |
Japan |
1 |
New Zealand |
1 |
Australia |
1 |
Conti has a very distinctive style in carrying out the campaigns, profiled TTPs are listed below:
Following TTPs are MITRE ATT&CK mapped:
Following ports are used for sustaining remote connection 80, 443, 8080, and 8443
There are identified cases where actors have used port 53 for persistence
The actor has shared internal infrastructure used to compromise target networks, Cobalt Strike Framework is used for Command & Control . A C2 server runs an application to send operating system commands and executes them on the compromised system, finally fetching the output of the commands to relay back to C2 thus establishing complete control over the compromised computer system/network.
The actor has exposed Cobalt Strike Team Servers which is a very critical component of attacker infrastructure.
An attack originates from Cobalt Strike Aggressor/TeamServer, thus leaking the IPs compromises operation security of the attacker as these IPs can be black listed by the corporate network firewalls and other security endpoint systems. Nevertheless, most of the attackers use IP redirectors or proxies in the middle of the target corporate network and their team servers for operation security and to protect their internal assets.
Ransomware groups are financially motivated cybercriminals that target enterprises to extort money. Large organisations in the world are consumers of Microsoft Active Directory to manage their users and network resources. Active Directory is a directory service that maps users/people and network assets like printers/computers into logical network groups for efficient administration and management. It follows a hierarchical structure where a domain is a logical aggregation of resources over the network with a node called a domain controller to control the assets in the specific domain. User who is in charge of the domain controller is called a Domain admin. An enterprise can have multiple domains along with corresponding domain administrators.
Ransomware operators compromise the domain controller server and covertly gain control over domain administrator account to carry out malicious activities in the domain. Following are few tactics employed by adversary in a campaign:
– Initial Access
– Privilege Escalation & Lateral Movement
– Privilege Escalation
– Locking and data exfiltration
The actor has shared a repository of tools and manuals, used by the group, on a file-sharing platform. Based on our analysis, tools shared are not of any exclusive nature but standard Active Directory Enumeration tools.
Common Passwords used that conforms to AD password policy:
Adversary’s Team Server IPs can be black listed:
IP |
Country |
ISP |
ASN |
162.244.80.235 |
USA |
Data Room Inc |
19624 |
86.93.88.165 |
Netherlands |
KPN BV |
1136 |
185.141.63.120
|
Bulgaria |
RedCluster Ltd |
44901 |
82.118.21.1 |
Poland |
ITL LLC |
204957 |
Prevent initial access at any costs. Following are basic mitigations:
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Disgruntled Affiliate Reveals Conti Ransomware Attack Techniques
The group has actively targeted the healthcare industry and first responder networks when COVID was at its peak. The following information is obtained from the Conti ransomware tor handle.
Based on the past activity of the group, they target the Retail and Manufacturing sector extensively, largely focusing on American entities.
Ransoms are tailored to victims based on their net worth, very recent ransom demanded by the group has gone as high as 25 million USD.
Country |
Victims |
Bahamas |
1 |
Canada |
14 |
USA |
128 |
Mexico |
1 |
UK |
11 |
Germany |
4 |
Italy |
2 |
India |
1 |
Japan |
1 |
New Zealand |
1 |
Australia |
1 |
Conti has a very distinctive style in carrying out the campaigns, profiled TTPs are listed below:
Following TTPs are MITRE ATT&CK mapped:
Following ports are used for sustaining remote connection 80, 443, 8080, and 8443
There are identified cases where actors have used port 53 for persistence
The actor has shared internal infrastructure used to compromise target networks, Cobalt Strike Framework is used for Command & Control . A C2 server runs an application to send operating system commands and executes them on the compromised system, finally fetching the output of the commands to relay back to C2 thus establishing complete control over the compromised computer system/network.
The actor has exposed Cobalt Strike Team Servers which is a very critical component of attacker infrastructure.
An attack originates from Cobalt Strike Aggressor/TeamServer, thus leaking the IPs compromises operation security of the attacker as these IPs can be black listed by the corporate network firewalls and other security endpoint systems. Nevertheless, most of the attackers use IP redirectors or proxies in the middle of the target corporate network and their team servers for operation security and to protect their internal assets.
Ransomware groups are financially motivated cybercriminals that target enterprises to extort money. Large organisations in the world are consumers of Microsoft Active Directory to manage their users and network resources. Active Directory is a directory service that maps users/people and network assets like printers/computers into logical network groups for efficient administration and management. It follows a hierarchical structure where a domain is a logical aggregation of resources over the network with a node called a domain controller to control the assets in the specific domain. User who is in charge of the domain controller is called a Domain admin. An enterprise can have multiple domains along with corresponding domain administrators.
Ransomware operators compromise the domain controller server and covertly gain control over domain administrator account to carry out malicious activities in the domain. Following are few tactics employed by adversary in a campaign:
– Initial Access
– Privilege Escalation & Lateral Movement
– Privilege Escalation
– Locking and data exfiltration
The actor has shared a repository of tools and manuals, used by the group, on a file-sharing platform. Based on our analysis, tools shared are not of any exclusive nature but standard Active Directory Enumeration tools.
Common Passwords used that conforms to AD password policy:
Adversary’s Team Server IPs can be black listed:
IP |
Country |
ISP |
ASN |
162.244.80.235 |
USA |
Data Room Inc |
19624 |
86.93.88.165 |
Netherlands |
KPN BV |
1136 |
185.141.63.120
|
Bulgaria |
RedCluster Ltd |
44901 |
82.118.21.1 |
Poland |
ITL LLC |
204957 |
Prevent initial access at any costs. Following are basic mitigations: