Ransomware Attacks in the African Ecosystem, and all you should know about the Conti Ransomware

While social engineering remains the most popular attack vector in Africa, a study by Interpol found that instances of ransomware and botnet attacks are also rising.

Ransomware is the fourth most prevalent cyber-attack identified in the report, which states that more than 61% of companies in the region were affected by ransomware in 2020 alone.

“These attacks targeted some African countries’ critical infrastructure, including healthcare and maritime sectors,”

Ransomware attack in the Commerce Sector

In June 2022, RansomHouse, a ransomware gang, claimed responsibility for the cyber-attack on Shoprite, Africa’s largest retailer. The attack, which Shoprite confirmed, compromised customer data in Eswatini, Namibia and Zambia, the company said. Shoprite said the data breach “included names and ID numbers but no financial information or bank account numbers."

In messages posted on RansomHouse’s Telegram channel and seen by TechCrunch, the gang claimed to have obtained 600 gigabytes of data from Shoprite. It said to have collected personal data that was “in plain text/raw photos packed in archived files, completely unprotected.” The group also claimed to have contacted Shoprite’s management for negotiations and hinted that it will sell the data and make some of it public if the talks failed. Typically, Victims that don't meet 'RansomHouse' demands have their stolen data sold to other cybercriminals. If there's no interest in buying the data, the group publishes them on the Onion site for free. While there have been encrypted files related to RansomHouse, the threat actors claim that they do not engage in encryption and only perform data theft and extortion. The threat actors have previously claimed that any encryption events associated with them result from partnerships with gangs that use ransomware strains, like White Rabbit.

“An investigation was immediately launched with forensic experts and other data security professionals to establish the origin, nature and scope of this incident,” said Shoprite. “Additional security measures to protect against further data loss were implemented by amending authentication processes and fraud prevention and detection strategies to protect customer data. Access to affected areas of the network has also been locked down,” it said. The group urged affected customers to take precautionary measures while saying that it had not noted any misuse or publication of the data.

Ransomware attacks on Critical/Maritime Infrastructure

Transnet appears to have been targeted with a strain of ransomware that cybersecurity experts have linked to a series of high-profile data breaches likely carried out by crime gangs from Eastern Europe and Russia.

On 22 July 2021, Transnet became a victim of a ransomware attack. The attack caused Transnet to declare force majeure at several key container terminals, including Port of Durban, Ngqura, Port Elizabeth and Cape Town. Transnet’s Durban port alone handles more than half of the nation’s shipments and is the main gateway for other commodity exporters including the Democratic Republic of Congo and Zambia. The attack was the first time that the "operational integrity of the country's critical maritime infrastructure has suffered a severe disruption" leading the Institute for Security Studies (ISS) to call its impact "unprecedented" in South African history. The hackers left a ransom note on Transnet’s computers claiming they encrypted the company’s files, including 1TB of personal data, financial reports and other documents. The note instructed the firm to visit a chat portal on the dark Web to enter negotiations. The Transnet ransom note was similar to others seen in recent months, according to cybersecurity firm Crowdstrike. It is linked to ransomware strains known variously as “Death Kitty”, “Hello Kitty” and “Five Hands”. In a smart move to contain the ransomware spread, Transnet employees were instructed to shut down all devices connected to the Transnet network and domain, as well as refrain from accessing emails from their phones and having meetings on MS Teams. Concerns were raised about the ransomware spreading to SARS and Customs, as their IT systems are linked to Transnet.

The Department of Public Enterprises stated that none of Transnet client's data had been compromised in the attack and on July 26 most computer systems had been restored. By July 28, The DPE stated that Transnet has fully restored operations at the nation’s ports after reinstating its automated terminal-operating system. Other systems are being brought up in a staggered manner. Transnet also claims to have paid no Ransom fees while restoring full operations to their ports.

Ransomeware attacks on the Health sector

Healthcare institutions were prime targets by cybercriminals during the first year of COVID-19. According to a study by IBM Security, cyberattacks (in which ransomware dominated) against medical entities had doubled from 2019.

The second largest private hospital operator in SA was hit by a cyber attack in the midst of the COVID-19 outbreak in June 2020

Multiple hospitals under the Life Healthcare Group suffered a ransomware attack amid South Africa’s first Level 4 COVID lockdown. The ransomware crippled hospital admissions systems, email servers, and business processing structures, such as patient billing and medical aid claims. Hospital and office staff had to implement manual backup measures which gave rise to obvious business continuity complications and admin delays. Life Healthcare immediately alerted the relevant authorities and was forced to bring in external cybersecurity experts and forensics teams to advice and supplement internal teams and capacity with the security breach being considered a severe one.

Fortunately, patient care was not affected by the attack. However, disruptions continued for 2-4 weeks until IT systems were fully restored.

It's not all doom and gloom, as more and more African organizations are beginning to see cybersecurity as an active threat instead of a passive one and have employed better measures to keep their data from attacks and recoverable incase of an attack. Cyber Insurance and Backups are the leading remediation methods against ransomware attacks and an increasing number of businesses and organizations are jumping on that boat.

THE CONTI RANSOMWARE

The conti ransomware first appeared in 2019 and became popular in 2020 for their Ransomware-as-a-service(RaaS) operations coupled with a reputation for being extremely damaging(more on this later) due to the speed of encryption and the way it spreads to other systems. The ransomware is believed to be led by a Russia based cybercrime group with the moniker - The Wizard Spider - This same group is also credited with the creation and management of the Ryuk ransomware.

Modus Operandi

The ransomware group behind Conti employ various tactics which include:

  • Spear-phishing attacks
  • Fake software promoted via search engine optimization
  • Stolen or weak Remote Desktop Protocol (RDP) credentials
  • Common vulnerabilities in external assets

in order to gain access and install the TrickBot and Bazarloader Trojans so as to facilitate remote access to the infected machines. The unsuspecting victim is tricked to believe an email sent to him/her is from a trusted source and a link is then provided which when clicked takes the victim to a document on Google Drive with a malicious payload. Once this payload is downloaded, a Bazaar backdoor malware is downloaded as well connecting the victim to Conti's command-and-control server. Conti also spreads through SMB(Server Message Block) which is how it encrypts data on other machines in a network.

Now that the software exists on the victim machine, Conti uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware to quickly encrypt data and making itself tough to stop. But that's not all, once the payload gets on a system it will try to delete Volume Shadow Copies and try to terminate a number of services using Restart Manager to ensure it can encrypt files used by them. It will also disable real time monitor/protection and uninstall the Windows Defender application. Conti's default behavior is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions after exfiltrating as much data as possible and deleting backups. It is also able to target specific drives as well as individual IP addresses.

Conti actors are also known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network - and, as needed, add additional tools, such as Windows Sysinternals(proving again that tools aren't inherently good or bad, just the application/use) and Mimikatz - to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks.

The Risks

Apart from the obvious risks involved with the aftermath of ransomware attacks namely - Disruption to service, loss of essential files, Legal fees, brand and reputation damage, employee layoff due to financial strain and business closure - There is also the now increasing chance of paying the ransom and yet having your data and files being held hostage for a double blackmail, with same threats to publicize sensitive information or sell the intelligence and data that had been exfiltrated if you don't pay a second usually smaller ransom.

Usually, successful Ransomware operators put in effort to establish some sort of 'integrity' in their trade, and keep a good reputation of delivering on their word to decrypt your files and not leak them if you pay the said ransom. However, Conti ransomware operators don't don't seem to be bound by the same rules.

According to a research by Sophos - State of Ransomware 2021 report - The number of organizations deciding to pay a ransom has risen to 32% in 2021 vs 26% the year prior. The same report also discovered that only 8% of those organizations got all of their data back, and 29% couldn't recover more than half of their decrypted files. The average conti ransom amount as of June 2022 was $110,000 for mid-sized organizations and upto $10 million as was the case for the Costa Rican government (causing disruptions in the tax and custom platforms and impacting foreign trade and public payroll systems)that was hit by the ransomware group in April 2022.

The Impact Made

This attack on the Costa Rican government prompted the Costa Rican President Rodrigo Chaves to declare a national state of emergency on May 8 and declare the conti ransomware group a terrorist organization whilst refusing to pay the ransom. Conti responded by allegedly leaking 650GB of data taken from the Costa Rican government systems.

Then in the wake of the Russian invasion of Ukraine, Conti group announced it's full support for the Russian government and even threatened retaliatory cyber attacks against the critical infrastructure of any country that attacked Russia, this however turned out to be a nail in the coffin for the group as they received backlash from the cybercrime world with other Ransomware groups declaring political neutrality. Although, The Conti group tried to remediate this move by later stating n a new message that it doesn't ally with any government and that it condemns the war, but the reputational damage had already been done.

However, the biggest unraveling was yet to come, after the Conti group declared allegiance to the Russian government in the invasion of Ukraine, an internal member suspected to be of Ukrainian origins, leaked internal Conti chat logs, source code and other files used by the group going back to the group's founding. This leak is famously known as the Conti Leaks and gave an inside view of how the organization was run as a modern day business.

In the Light of the threat that the group bore and their devious means of double extortion, the U.S State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders as well as $5 million for information leading to the arrest of any Conti co-conspirator from any Country. The FBI estimated that Conti had victimized 1,000 organizations and had amassed over $150 million as payouts from Ransomware operations, the highest among all

What Next

In light of the heat from various organizations and governments the group was under and the reveal of the ContiLeaks, The group decided to rebrand. In May 2022, security intelligence companies reported that the Conti infrastructure, including its official website, negotiation service, chat rooms and messengers were shut down or being reset. Researchers from security firm AdvIntel believe that the group is shutting down the Conti brand and will likely splinter off into separate teams, a process that began months ago and has accelerated recently. "This shutdown highlights a simple truth that has been evident for the Conti leadership since early Spring 2022 - the group can no longer sufficiently support and obtain extortion. "The blog's key and only valid purpose are to leak new datasets, and this operation is now gone. On May 6, AdvIntel explained that the Conti brand, and not the organization itself, was in the process of the final shutdown. As of May 19, 2022, our exclusive source intelligence confirms that today is Conti’s official date of death."

The skills that Conti members and affiliates have accrued, the training materials they have created, the expertise they have developed in setting up infrastructure and laundering cryptocurrency will all make them highly prized members for other groups to poach, and added that Conti members would reemerge under other names. Groups like BlackBasta, BlackByte and Karakurt have already been credited with accepting Conti former members into their ranks.

Even in light of all this, some cybersecurity experts still believe that the most prolific members of the group will continue to operate. "The Battle against Conti Ransomware might have been won, but the War is still ongoing".