Operate more efficiently, reduce complexity, improve EBITDA, and much more with the purpose-built platform for MSPs.
Protect and defend what matters most to your clients and stakeholders with ConnectWise's best-in-class cybersecurity and BCDR solutions.
Leverage generative AI and RPA workflows to simplify and streamline the most time-consuming parts of IT.
Join fellow IT pros at ConnectWise industry & customer events!
Check out our online learning platform, designed to help IT service providers get the most out of ConnectWise products and services.
Search our resource center for the latest MSP ebooks, white papers, infographics, webinars and more!
Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.
Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.
Conti is one of the most notorious cybercrime collectives in the world. Widely known for their aggressive and effective tactics to mount large-scale attacks on organizations of all sizes, Conti ransomware is a reminder of the importance of developing a robust cybersecurity plan for your clients.
From using multi-factor authentication (MFA) to monitoring networks for vulnerabilities, use these recommendations to help protect your clients against the possibility of ransomware attacks.
Conti ransomware works by leveraging a ransomware-as-a-service (RaaS) attack model.
This model of industrialized cybercrime typically functions by paying affiliates to deploy malware into an organization’s IT systems. Once this implementation occurs, it creates a window of opportunity for the primary cybercriminals to infiltrate an organization’s network, encrypt data, and then hold this information for ransom.
In the case of Conti ransomware, the CIA theorizes that Conti developers likely have a slightly different model: Developers pay the deployers of the ransomware a wage versus a percentage of the proceeds used by affiliate cyber actors. Furthermore, since the widely publicized ransomware attack on the Colonial Pipeline in May 2021, the RaaS landscape continues to evolve, with key players adopting new tactics that draw less attention.
Who is behind Conti ransomware? According to statements by the U.K. and U.S., Conti is likely linked to Russian intelligence services , and many of their actions align with Russia’s international interests. Researchers have also concluded that cybercriminals in the Conti ransomware gang have connections to the Kremlin .
In most scenarios, Conti attacks have employed similar tactics and procedures to prey on victims:
One major development regarding the Conti ransomware group is that it took down most of its infrastructure in May 2022, leading many industry experts to say that the group had “shut down.” However, this shift still has ripple effects today.
One such example is the leak earlier that year of over 2 years’ worth of private chats inside the organization. The leak was believed to have been prompted by the group’s public support of Russia in the war with Ukraine. These leaks provided unparalleled insight into the workings of the organization, including:
As of right now, it’s not 100% clear what’s become of the former Conti hackers. At one point, they claimed they would be splitting into smaller, autonomous groups, but there’s no clear proof this is the case.
While it’s easy to assume this change means that Conti is no longer a topic worthy of discussion, this couldn’t be further from the truth. First, many of the hackers that are a part of that “talent group” can easily find their way into other ransomware collectives, potentially increasing their capacity to target organizations.
Secondly, the leaks have given the cybersecurity community a much deeper look into how hacking groups operate on a day-to-day basis.
Finally, some of the major attacks that Conti has claimed responsibility for still have ramifications in the cyber landscape today. Here are some examples.
Conti has been affiliated with more than 1,000 ransomware attacks . Many of the recent Conti ransomware attacks have been high-profile and gained significant media attention.
Two major Conti ransomware attacks crippled many of Costa Rica’s essential services, leading to the declaration of a national emergency. Beginning in mid-April of 2022, attackers targeted 27 government bodies , forcing them to shut down or alter operations.
Files from within the finance ministry were encrypted, and the digital tax service and IT system for customs control were destroyed: Import and export businesses faced shipping container shortages, with local news reports estimating that the losses ranged from $38 million per day up to $125 million over 48 hours.
The Conti ransomware gang allegedly disbanded in June 2022 after this hack, but its members are believed to have joined other cybercriminal groups.
Conti ransomware gained international recognition for a 2021 ransomware attack on the Ireland Health Service Executive and Department of Health, an attack that caused IT systems to shut down for weeks.
Conti ransomware claimed to have more than 700 gigabytes (GB) of unencrypted files , including financial statements, payroll, contracts, and other sensitive documents. Conti actors demanded a $20 million ransom payment from Ireland’s HSE. Ireland refused to pay the ransom but wound up spending far more to recover from the attack.
In September 2021, Conti ransomware targeted JVCKenwood, an electronics manufacturer in Yokohama, Japan, known for its car and home electronics. Conti actors demanded that JVCKenwood pay $7 million for the return of 1.7 terabytes (TB) of stolen and encrypted data.
Conti claimed to have terminated negotiations with JVCKenwood after reports surfaced stating that the company leaked details of the ransom negotiation.
Although the original formation of the Conti RaaS has shut down, its members have likely dispersed into other ransomware operations, bringing their specialized knowledge and strategies to new teams.
Conti malware is a prime example of the unique cybersecurity challenges MSPs face. To better understand the threat landscape — including Conti ransomware and or Conti strains — read our 2023 MSP Threat Report .
Conti malware targets vulnerable systems and exploits organizational blind spots. One of the most important tactics for preventing a Conti ransomware attack is to keep all client software and systems up to date. This means patching systems and software in a timely manner and keeping your client’s internal team well-informed on the importance of software updates.
For further protection, MSPs should leverage cyber threat hunting to effectively monitor and probe client systems to stop potential threats from infiltrating the network.
One of the most effective measures to decrease the possibilities of cyberattacks is to leverage strong passwords and multi-factor authentication . Work with your clients to develop MFA protocols and complex passwords to strengthen security.
In most Conti ransomware attacks over the past three years, a phishing email starts the process. For MSPs seeking the best way to protect clients, consider an email protection solution that detects advanced threats.
While implementing an upstream solution is the most effective tactic for mitigating phishing emails, it’s also crucial to educate your client’s team on best practices for email hygiene — and how to effectively spot a phishing email to stay safe.
In most scenarios, Conti ransomware attacks target confidential or crucial data and demand a ransom in order to get it back. Properly backed up data is absolutely vital to maintaining business operations in the case of an attack. Focus on providing your clients with a full suite of backup solutions .
For more information on how to put together an effective SaaS backup program for clients, check out our checklist, 5 Things to Consider When You Need Effective SaaS Backup .
Reducing the potential for cyberattacks starts by building a foundation of strong security. The best thing you can do is support your clients as they develop a strong security culture. This includes educating client team members on best security practices, including:
Constant monitoring for suspicious patterns of behavior is key. This includes suspicious network traffic, unauthorized changes, or repeating patterns that suggest something out of the ordinary.
If you’re an MSP looking for the best platform to protect your clients, ConnectWise cybersecurity management is here to help. From endpoint detection and response to security policy management, we have a suite of software solutions to help you protect your clients’ most critical business assets. Explore our cybersecurity demos today to get started.
In most scenarios, Conti ransom notices provide details on how to send payment, how much money they demand, and what will allegedly occur if you do not pay the ransom.
The typical ransom demand in a Conti ransomware attack varies depending on the victim’s financial records. According to one analysis, the ransom demand is typically between 0.7% and 5% of the victim’s annual revenue — and most ransomware gangs offer discounts for immediate payments.
It depends. Decryption may be possible in certain circumstances, particularly if the malicious malware is flawed or not fully developed. However, in most scenarios, the only viable option is to recover lost data from a backup source.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) “strongly discourage” organizations from paying the ransom in cybercriminal attacks. Paying a ransom note can embolden ransomware gangs to target other organizations and encourage more attacks. In many cases, paying the ransom doesn’t result in recovered files.
Historically, the healthcare industry has been most vulnerable to Conti ransomware attacks. While Conti claims to have disbanded, some of the top industries targeted by other RaaS groups include the healthcare, manufacturing, and energy sectors.
Robust antivirus software and antimalware programs can help detect and mitigate potential Conti ransomware attacks. By leveraging these programs to conduct regular scans of the network and all organizational assets, MSPs can identify irregularities or vulnerabilities in the infrastructure.
It is highly difficult to trace or track the perpetrators of any ransomware attack. Although many RaaS groups are known, the criminals use code names and are difficult to track down.