Shortly after hitting Parker Hannifin Corporation, a serious element provider for Boeing and Lockheed Martin, the Conti ransomware group deserted the Conti title and break up off into smaller teams that coordinate with the bigger group’s management. This move got here after Conti focused the federal government of Costa Rica with ransomware. By concentrating on a authorities, the ransomware group could have invoked state actors to extend their efforts to take down Conti management, forcing the group to interrupt aside into smaller cells for elevated operations safety (OPSEC). Even earlier than the assault on Costa Rica’s authorities, the US Department of State introduced a $10 million reward for data that helps determine or find key members of the Conti ransomware group.

While Conti could now not be working below that title, cybersecurity researchers are nonetheless analyzing assaults perpetrated by the group earlier than its dissolution. Researchers on the cybersecurity agency Group-IB have printed a report detailing a specific ransomware marketing campaign carried out by Conti between November 17 and December 20, 2021. According to Group-IB, the marketing campaign, codenamed “ARMattack,” was one of many ransomware teams’ quickest and most efficient campaigns.

Map of ARMattack victims (click on to enlarge) (source: Group-IB)

In just a little below 5 weeks, the Conti ransomware gang compromised the pc methods of over 40 firms internationally, with the plurality being positioned within the US. Thanks to actors in numerous time zones, Conti was in a position to function 14 hours out of the day throughout this marketing campaign and accomplished one assault in simply three days. Once the group efficiently gained unauthorized entry to a community, it might exfiltrate key paperwork, together with recordsdata containing passwords, then carry out privilege escalation and acquire entry to all desired gadgets. Lastly, the group would deploy ransomware to all compromised gadgets, encrypting the information inside, and publicize the assault on the group’s devoted leak site, threatening to publicly launch the encrypted knowledge if the ransom wasn’t paid.

It’s price nothing that the ARMattack marketing campaign didn’t hit a single firm positioned in Russia. Conti is a Russian-speaking group and, past the unstated rule that Russian cybercriminals don’t assault Russian firms, the ransomware group has made public statements declaring its allegiance to Russia and its authorities. When Russia started its invasion of Ukraine, the Conti ransomware gang introduced its full assist of the Russian authorities and threatened to conduct counterattacks towards anybody who carried out cyberattacks or different offensive measures towards Russia.