Conti Ransomware Gang Claims 50+ New Victims including Oil Terminal Operator Sea-Invest Disrupting Operations at 24 Seaports Across Europe and Africa

eSentire Warns Ukraine & its Western Allies of Conti’s Long History of Disrupting Critical Infrastructure. Could Conti Be the Perpetrator Who Attacked 3 Oil Storage & Transport Companies in January?

On February 25, one day after Russia’s full-scale invasion into the Ukraine, the notorious Conti Ransomware Gang (formerly known as Ryuk) posted a warning on their data leak site declaring its support for Russia, stating if anyone organized a cyberattack or any war activities against Russia, they would use “all possible resources to strike back at the critical infrastructures of an enemy.” Later that evening, Conti revised its message slightly proclaiming how they condemned the ongoing war, and yet they would use their full capacity to retaliate if there were any attempts to target critical infrastructure in Russia or any Russian-speaking region of the world. On February 27, someone leaked 60,000 chat logs and financial data pertaining to Conti’s activities between January 29, 2021, and February 27, 2022. It is now suspected that it was a Ukrainian security researcher who leaked the data. As a result, some security researchers reported on March 3 that some of Conti’s back-end infrastructure has been taken down by the Conti operators. This doesn’t come as a surprise to eSentire’s security research team, the Threat Response Unit (TRU) because many of the IP addresses for Conti’s servers were shared in the leaked chats. However, the Conti Gang is highly skilled, they are seasoned ransomware operators, they have deep pockets, and several members appear to maintain good relationships with representatives from the U.S. judicial system and the Russian government. See Image 1 and 2.

Image 1—Chat between Conti Operator Mango describing his connections with the Russian community in Brooklyn, NY including a major court judge and a lawyer.

Image 2: Chat between Conti Gang members, Mango and Professor, discussing tracking those who are against the Russian Federation and Mango asking if they are supporting Russia.

Even if the Conti operators dismantle portions of their infrastructure and even go as far as to shut down their operation, TRU believes that they will simply reactivate their operation with new infrastructure and give their Ransomware as a Service a new name. eSentire continues to warn the Ukraine and its Western Allies that if Conti Gang members, loyal to Russia, want to seriously disrupt businesses and critical infrastructure organizations, they certainly possess the skills, the tools and the experience to do so. Conti has a long track record of seriously disrupting critical services, and the threat group continues to target critical infrastructure, in addition to other businesses key to the supply chain. Many security researchers believe Conti first came on the ransomware scene in 2018 under the name of Ryuk. However sometime in 2020, it is believed that the threat actors running Ryuk either split into two groups, rebranded or decided to begin using the “Conti” name. It is also interesting to note that the Conti ransomware code is extremely similar to the Ryuk code base. In addition, the initial Conti ransom note to victims used the same template utilized by Ryuk in earlier attacks.

TRU reports that from November 27, 2021, to February 27, 2022, the Conti Gang claims to have compromised 50+ new victims, and two-thirds of the organizations are based in Europe and the U.K. The remaining victims are in the U.S., Canada, Australia and New Zealand. Most disturbing is a notification that Conti posted on their leak site on February 7, 2022, where they stated they had compromised international terminal operator, SEA-Invest. The Belgium-based company operates terminals in 24 seaports across Europe and Africa, handling liquid bulk (oil and gas), fruit & food, breakbulk, and dry bulk. SEA-Invest reported they had suffered a cyberattack against their IT networks on Sunday, January 30. They said that “all 24 of the seaports they run across Europe and Africa were affected by the attack,” according to the BBC. In TRU’s experience, they have never seen a top ransomware gang claim to have compromised a victim when they have not.

Coincidentally, during the same January 28 weekend, three other large international oil storage/transport companies reported being hit by a significant cyberattack which disrupted their IT systems. The three victims include the Germany-based sister companies, Oiltanking Deutschland GmbH and Mabanaft Deutschland GmbH, and the Netherlands-based company, Evos. News articles chronicling the attack said that Oiltanking’s 11 German terminals were operating at "limited capacity,” and as a result of the attack, it shut down Oiltanking’s loading and unloading process. The loading and unloading process of oil is computerized and it is not possible to shift back to manual controls. Oiltanking Deutschland GmbH supplies 26 companies in Germany with fuel, including 1,955 Shell gas stations. Reuters reported that Shell Deutschland GmbH had been able to “re-route to alternative supply depots” during the attack. However, Oiltanking Deutschland said it had declared “force majeure” because its German terminals were operating on a limited basis. The activation of “force majeure” excuses a company from meeting contractual obligations in an extraordinary event that is beyond its control.

Mabanaft Deutschland GmbH is the leading independent importer and wholesaler of petroleum products in Germany. Press reports said It also declared “force majeure” because the majority of its inland supply activities in Germany were affected. Aral, the largest petrol station network in Germany with around 2,300 stations, said during the incident they began “supplying its stations from alternative sources in light of the disturbance, “ according to a spokesperson for its owner British Petroleum PLc.

To add fuel to the fire, during the same January weekend Netherlands-based Evos, which stores, handles and distributes oil and gas, confirmed in early February that their IT network also got hit by a cyberattack. One news report stated that a spokesperson for Evos claimed that the cyberattack on their IT systems affected its IT services at terminals in Terneuzen, Ghent and Malta and have "caused some delays in execution". 

Rob McLeod, VP of eSentire’s Threat Response Unit (TRU) research team, wonders if the cyberattacks that hit Oiltanking, Mabanaft and Evos weren’t also ransomware attacks, and if they weren’t perhaps carried out by the Conti Ransomware Gang? “Conti claimed to have attacked SEA-Invest and during the same weekend, three other oil storage and transportation companies, in the same general region of Europe, get hit by a serious cyberattack,” said McLeod. “The timing is uncanny, and it is plausible that the Conti Ransomware Gang could be behind these latter attacks.” The reasons include:

1. The Conti Ransomware Gang Maintains a Sophisticated Arsenal of Malware and Other Tools- According to Keegan Keplinger, Researcher and Reporting Lead for the TRU Team, the Conti Gang is extremely well resourced when it comes to cyber talent, malware and tools. “Conti interacts with many of the top cybercriminals in the ransomware business, having developed relationships with developers, botnet operators, intruders and initial access brokers. They use a variety of tools, including custom malware builds and both public and private tools. Trickbot was Conti's original backdoor tool through 2019 and 2020, known to be delivered by Emotet. From their recently leaked chat logs, TRU was able to determine their most recent tool preferences. This includes switching from Trickbot to BazarLoader, utilizing business database service like Zoominfo, public scanning services like Shodan, evasion tools like Shellter Project, copies of CarbonBlack to find ways to evade it, and dyncheck, an AV scanner that can tell you how detectable your malware is. Like other ransomware actors, Conti group has adopted Cobalt Strike for hands-on intrusion actions.
2. Conti Ransomware Gang is Capable and Effective- The Conti Ransomware operators are extremely capable and effective. They came onto the ransomware scene in 2018, and the TRU team calculates that they have compromised 480+ victims since their inception. Conti is one of the few original, top ransomware groups still operating. Prior to the shutdown of the REvil/Sodin group (the ransomware operators that compromised the Kaseya VSA Software in May 2021), Conti and REvil rivaled each other for the number one spot in the ransomware ecosystem. The Conti Gang has successfully attacked critical systems, such as school systems, municipalities, healthcare networks, energy companies and they usually stand behind their threats. For example, they attacked the Broward County School District In March 2021. When the school district refused to pay the $40 million ransom, the hackers lowered their demands to $10 million, but the school system still refused to pay. As a result, the Conti Group posted 26,000 files (mostly financial, dealing with payments, invoices, etc.) belonging to the school district on their leak site. Other organizations Conti compromised in 2021 include transportation/logistics companies, construction companies, and healthcare organizations. Readers might recall that Conti made headlines in 2019 and 2020 with its successful attacks on several small U.S. communities, including Jackson County, Georgia; Riviera Beach, Florida; and LaPorte County, Indiana. The Conti ransomware has also been seen in a wave of attacks targeting U.S. hospitals and health systems to the extent that the FBI and departments of Homeland Security and Health and Human Services issued guidance to healthcare organizations. The Conti Ransomware Group has been known to demand US$25 million from a single victim.
3. Conti Gang Has a Successful and Long Track Record of Compromising Critical Infrastructure Organizations (e.g. Hospital Networks, Municipalities, 911 Emergency Services, IT Service Providers)- The Conti Gang has a long history of attacking Critical Infrastructure organizations, and they continue to do just this. As previously mentioned, between November 27, 2021, to February 27, 2022 , the Conti Group claims to have attacked 50+organizations. Many of the victim organizations fall into critical infrastructure sectors, such as Healthcare and Public Health, Energy, Financial Services, Information Technology, Food and Agriculture. Here are some of the Conti Group’s recent victims which have been made public:
   • Aareon (IT Sector)- Aareon, a Netherlands-based Information Technology (IT) company, purports to be Europe’s largest software provider for real estate companies. The company reported the ransomware attack on their website on February 11, 2022. According to news reports, the Conti threat actors got access to personal data relating to tenants renting homes from various real estate companies that utilize Aareon’s software. News reports stated that the personal data accessed might also include tenant’s payment details. However, at the time the article was published this had not yet been determined.
   • Bank Indonesia (Financial Services Sector)- The Conti Gang also reported on their leak site that they had compromised Bank Indonesia, Indonesia’s central bank. The financial institution did confirm having suffered a ransomware attack in December 2021. However, they did not share that the Conti Gang were the perpetrators. Bank Indonesia reported that attack did not disrupt their operations, although the Conti gang claimed to have stolen 13.88 GB worth of documents. The threat actors threatened to leak the cache of documents if the Bank did not pay the ransom.
   • SEA-Invest (Energy Sector)- Conti posted that they compromised international terminal operator, SEA-Invest, on their leak site on February 7, 2022. The Belgium-based company operates terminals in 24 seaports across Europe and Africa, handling liquid bulk (oil and gas), Fruit & Food, breakbulk, and dry bulk. According to the company, the attack affected all 24 of the seaports they run across Europe and Africa.
   • CS Energy (Energy Sector)- On November 27, 2021 the Conti Gang reported on their leak site that they had attacked the corporate IT network of one of Australia’s large electricity providers, CS Energy. Although the organization’s CEO reported that the breach did not affect service for any of their millions of customers, there were reports that the company published a statement saying that in response to the attack: “they quickly took further assertive action to physically separate the company’s operational network from its compromised corporate systems.” This gave several security experts pause, wondering why the utility didn’t have the corporate and operational networks segregated originally. And if it was the case that the corporate network had not been separated prior to the Conti attack, then CS Energy’s cybersecurity practices had been insufficient.
   • iTCo (Technology Sector)- On February 12, 2022 the Conti Gang posted on their leak site that they had compromised IT Services company, iTCo, based out of New Zealand. The company states on their website that they provide IT services to 1,000 companies in New Zealand and abroad. According to news reports, iTCo said the attack temporarily impacted some of their IT systems, but once the full extent of the attack was known, they planned to begin a “progressive restoration process so as to return the systems to operation.” The Conti threat actors claimed that they had stolen more than 4 gigabytes of data, and threatened to leak the data if their ransom demands were not met.
   • Italian Natural Gas Distribution Company (Energy Sector)- At the end of November 2021, the Conti Gang claimed to have attacked an Italian Natural Gas Distribution Company. The company is part of a large Italian conglomerate.
4. Conti Gang is Agile- Conti Abandons Attacking U.S. Critical Infrastructure & U.S. Businesses and Targets Companies in CA, Europe and the U.K.- The Conti Ransomware Gang is agile and streetwise. “As U.S. President Biden, the Department of Justice and the FBI begin turning up the heat on Russian Ransomware Groups in September 2021, TRU noticed that while many of the other top ransomware groups were getting taken down or shutting down their own operations, like the Sodin, Darkside and Clop groups, Conti very quietly began fading into the background and ceased attacking big U.S. Critical Infrastructure targets and began setting its sights on companies in Canada, Europe, U.K.,Australia and New Zealand,” said Keplinger. A perfect case in point, between October 8 and November 3, 2021, Conti claims seven Canadian companies on their leak site. TRU also suspects that Conti could have been the attackers that took down the Newfoundland and Labrador healthcare system in November 2021. In December, TRU started noticing that Conti began increasing their attacks against organizations in Europe and the U.K.
5. Conti Developed the Multi-Step Ransomware Intrusion Model- Rather than being confined to targeting a single endpoint to infect with ransomware, modern Ransomware operations revolve around a full-scale intrusion into the organization. Doing so in a scalable and effective way requires many moving parts - as such, cybercriminals have adopted a sort of assembly line approach to extortion operations, whereby there are specialists, each owning their phase of the attack, and then there are support specialists to ensure proper tooling and integration. Initial Access brokers use social engineering and remote exploitation to provide access into organizations. Botnet operators are able to turn that Initial Access into a backdoor with limited capabilities. Intruders leverage the botnet – typically by deploying a Cobalt Strike beacon to the victim environment – to perform hands- on- intrusions and manually work around defenses to achieve lateral movement. Extortion teams apply additional pressure to compromised victims. But all of this is supported by hundreds of other specialists that help set up infrastructure, integrate the different parts of the malware chain, perform R&D, and manage financials. See Image 3.

Image 3. A graphic representation of a simplified kill chain and the specialists involved in a Ransomware-as-a-Service operation, such as Conti.

Sample of Critical Infrastructure Organizations Compromised by Conti (previously known as Ryuk until 2020) Between 2019 and July 2021

• Ireland’s National Healthcare System- On May 14, 2021 news reports emerged stating that the Conti Ransomware Gang had compromised and disrupted Ireland’s National Healthcare System . The Conti ransomware attack caused weeks of delays at the country’s hospitals, the cancellation of medical appointments, the shutdown of X-ray systems and delays in COVID testing. In a December 2021, an Irish news outlet reported that the country's healthcare system will have to spend more than $48 million USD and it could go as high as $100 million USD so as to recover from the widespread ransomware attack perpetrated by the Conti group.
   
• 16 U.S. Healthcare and First Responder Networks, including Law Enforcement Agencies, Emergency Medical Services, and 9-1-1 Dispatch Centers Hit by Conti- On May 20, 2021, The FBI issued a Flash Alert about the Conti Ransomware Gang. The alert stated: “The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first -responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 are located in the U.S.”
• Universal Health Services (Network of 250 Hospitals across U.S.) Hit by Massive Cyberattack- In September 2020, the UHS Network of 250 Hospitals, based in the U.S., was hit by a massive cyberattack.The Conti Gang was suspected to be behind the ransomware attack which seriously disrupted operations within the major hospital chain. The Associated Press reported that when the hospital network got hit by the attack, medical staff at various UHS hospitals across the country, exclaimed how the attack was negatively affecting the critical services they provide:
  
  A clinician involved in direct patient care at a Washington UHC facility described a high-anxiety scramble to handle the loss of computers and some phones. That meant medical staff could not easily see lab results, imaging scans, medication lists, and other critical pieces of information doctors rely on to make decisions. Phone problems complicated the situation, making it harder to communicate with nurses. Lab orders had to be hand-delivered. “These things could be life or death,” said the clinician.
  
  The Washington clinician said there was a lot of concern about how to determine whether or not patients had been exposed to the coronavirus, the Washington clinician said, adding that no harm came to any of the 20 or so patients they attended to. However, anxiety reigned during the entire shift. Handing off a patient to another department, always a delicate task because of the potential for miscommunication, became especially nerve-wracking.
  
  A different UHS healthcare worker, at an acute care facility in Texas, described an even more chaotic scene. “As of right now we have no access to any patient files, history nothing,” the Texas worker said, with emergency room wait times going from 45 minutes to six hours. “Doctors aren’t able to access any type of X-rays, CT scans.” Nothing that runs on Wi-Fi alone was functioning Monday, the Texas worker said. Telemetry monitors that show critical care patients’ heart rates, blood pressure and oxygen levels went dark and had to be restored with ethernet cabling.
• Jackson County, Georgia Attacked by Conti Gang- Pays US$400,000 Ransom- In March, 2019, Jackson County Georgia was attacked by the Conti Gang. The ransomware attack “hit the computers of Jackson County, Georgia, reducing government activity to a crawl until officials decided to pay the Conti cybercriminals $400,000 in exchange for the file decryption key. News articles reported that the attack affected computer systems in all departments of the County, including those for email and emergency services, forcing County employees to use pen and paper to do their job, slowing operations drastically. Jackson County’s Sheriff Department reported that they had to process arrest bookings and reports by hand because they had no access to their computers.
• City of Riviera Beach, Florida, Attacked by Conti Gang- Pays US$594,000 Ransom- On May 29, 2019, the IT systems of City of Riviera Beach, Florida were attacked by the Conti Ransomware Gang causing debilitating effects. Down went all the city’s online systems, including email and some phones, as well as their water utility pump stations. Utility payments could not be accepted other than in person or by snail mail — and even then, only by check or cash.
   
• City of LaPorte County, Indiana, Attacked by Conti Gang- Pays US$130,000 Ransom- On July 6, 2019, LaPorte County, Indiana, became the third U.S. municipality to become a victim of the Conti Ransomware Gang within a five-month period. According to spokespersons for the county they were able to interrupt the attack so that only 7% of their laptops were infected. However, the Conti threat actors did compromise two domain controllers so the county’s network services were unavailable. Even three days after the attack, the county’s emails and website were still down.
   

"As history shows, the Conti threat actors have no compunction about attacking critical infrastructure and seriously disrupting healthcare services, city and county residential programs, school systems, emergency services and oil and gas distribution. Companies and organizations must be prepared to combat these very serious ransomware threats, especially in light of the conflict raging between Russia and Ukraine," said Keplinger. "That requires approaching security as an arms race, in which technology of opposing interests are continually evolving in response to each other. Organizations need to monitor the threat landscape to see what threat actors are doing, assess gaps in their security as they pertain to the latest evasion techniques, and address those gaps through direct implementation – and all three of these processes must be ongoing. The eSentire TRU accomplishes this through the Threat Intelligence team and the Tactical Threat Response team."

If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more about how we protect legal firms globally? Connect with an eSentire Security Specialist.