In business, when one profit stream slows down and starts to dry up, other revenue streams have to be found. This is true even of ransomware, which is big business these days. That may be why the notorious group Conti is branching out into a potentially new area—selling data from victims to the highest bidder.
As first reported by the site KrebsOnSecurity, Conti has started advertising access to organizations it’s compromised. The KrebsOnSecurity article posted a screenshot of the “Conti News” site, with the name of the victim company obscured.
“We are looking for a buyer to access the network of this organization and sell data from their network,” reads the identical message beneath each victim’s name. It also lists a bit of information about the victim, for instance:
- <obscured name> is the leading provider of fully integrated education and packaging solutions in the MENA region
- <obscured name> is a world leading manufacturer of stainless steel storage and processing vessels…
- <obscured name> Family-owned commercial printer
The postings could indicate that Conti is raking in less money through its regular methods of extortion. This is speculation, since no details of its finances are publicly available, but it is true that fewer companies are paying demanded ransoms these days. SC Media reported that one law firm that works with clients victimized by ransomware said that as recently as two years ago, more than half their clients paid a ransom. This year, less than 30% will.
Shifting Ransomware Strategies
If that trend is more broadly seen in the industry, it may signal a shift in strategy, forcing criminals to be more creative in its extortion attempts.
(Editor’s Note: The ActualTech Media has just published a book—Ransomware: Understand. Prevent. Recover.—with a wealth of information to help survive a ransomware attack.)
Conti is known in the industry as one of less scrupulous ransomware groups. Even among cybercriminals, they will do what many others won’t, taking down such critical services as hospitals, 911 call centers, and law enforcement agencies.
In May 2021, Conti attacked Ireland’s entire healthcare system, forcing the shutdown of all its networks. Conti is also infamous for its “double ransom” methodology. In this type of attack, payment is demanded for two actions:
1) Providing a decryption key to recover locked files
2) Keeping the criminals from publicly posting private, sensitive information—credit card numbers, health details, social security numbers, and so on—stolen from the victim
What this means for organizations worried about ransomware is that it’s important to keep a close eye on trends in how the Bad Guys are operating. The types of attacks you see will continue to evolve, and will necessitate different types of defenses and reactions to attacks.