[BreachExchange] Conti Ransomware Gang Posts Advantech's Data

Thu Dec 3 10:43:51 EST 2020

https://www.databreachtoday.com/conti-ransomware-gang-posts-advantechs-data-a-15486

The gang behind the Conti ransomware variant has posted data to its
darknet website that it says it stole during a ransomware attack on
industrial IoT chipmaker Advantech last month. The company reportedly
confirmed the attack on Monday.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in
the Pharma Industry

The gang has posted several files that can be downloaded. These
include two zip files containing 3 GB of data, or what the gang claims
is about 2% of the data it removed from Advantech's database prior to
encrypting the company's data, according to a screenshot of the
darknet site provided to ISMG by a source.

"More data will be published in a timely manner. Stay in touch," Conti
says in the post.

Advantech confirmed to Bleeping Computer Monday that it had been hit
with ransomware that led to the theft of company documents, but it
declined to offer any further details. The news site says the Conti
gang demanded $14 million in ransom.

The Taiwanese company has not issued a statement on the incident and
has not responded to Information Security Media Group's requests for
comment.

Advantech, which had $1.7 billion in sales in 2019, develops products
for industrial IoT intelligent systems and embedded platforms and
sells IoT hardware and software.

Conti Ransomware

Conti ransomware is the variant favored by Wizard Spider, the cyber
gang that developed and distributes the Trickbot Trojan. Wizard Spider
switched to Conti after it took Ryuk offline for several months in
late summer while its developers gave the malware a refresh,
CrowdStrike researchers reported (see: Trickbot Rebounds After
Takedown).

CrowdStrike noted that Ryuk on its own is more dangerous than Conti.
But Conti, when combined with BazarLoader, has superior obfuscation
abilities.

Conti was introduced in August, and the gang behind it later added the
data leak site to support its extortion efforts. CrowdStrike estimates
that as of October, 120 networks have been hit with Conti and had
their data listed on the Conti data leak site.

"Conti victims span multiple sectors and geographies, the vast
majority of which are based in North America and Europe. This
opportunistic targeting is indicative of Wizard Spider and wider
ransomware operations," the CrowdStrike report notes.

Since the Conti gang launched the ransomware, it has shifted from
fully encrypting files with AES 256 to using what CrowdStrike calls a
more strategic and efficient approach of selectively encrypting files
with the ChaCha stream cipher.