Image

Image

Based on multiple incident response matters and current assessment, it is believed that Conti ransomware is linked to the same Ryuk ransomware developer group based on the code reuse and unique TrickBot distribution. The same distribution attack vector is used widely by the Ryuk deployment group.Ryuk has a history of working with Trickbot. Back in July 2019, for instance, a municipality in Florida fired its IT director shortly after paying a ransom of $460,000 for an attack it had suffered a month earlier. In that "Triple Threat" infection, a malicious email attachment downloaded Emotet on the city's network. That malware then downloaded Trickbot, which was responsible for dropping Ryuk. Nearly a year after that, researchers uncovered several attack campaigns that waited two weeks after achieving a successful Trickbot infection before they deployed Ryuk ransomware as their final payload. The findings discussed above highlight the dynamism of the ransomware threat landscape. As one family's activity fades, another ramps up its attack efforts. Organizations therefore need to take steps to protect themselves against a ransomware attack. They can do this by working to prevent an infection in a first place. For more information on how Conti works, organizations can review Carbon Black Threat Analysis Unit's analysis of the ransomware family here.