JVCKenwood hit by Conti ransomware attack exfiltrating 1.7TB of data including staffer’s personally identifiable information (PII) and customer’s personal information.
Conti ransomware utilizes phishing attacks to install the TrickBot and BazarLoader Trojans to obtain remote access to infected machines. The email pretends to be from a sender the victim trusts and uses a link to redirect the user to a malicious document. The Excel file contains a malicious payload, and when the user downloads the document, a Bazaar backdoor malware will be downloaded to connect the victim’s device to Conti’s command-and-control server. Conti will encrypt data and implement the “double extortion” scheme once it’s on the compromised machine.
The ransomware loads an encrypted DDL into memory and executes the encryption method spreading throughout the network. Threat actors use the ransomware to gain access to unprotected RDP ports, use phishing emails to remote access the network through an employee’s computer, or access the network using malicious attachments, downloads, application patch exploits or vulnerabilities.
SpearTip’s engineers have observed Conti utilizing Cobalt Strike in recent instances. Conti typically adds secondary mechanisms for persistence: AnyDesk and Screenconnect.
SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.