The recent spike in attacks targeting veterinary practices has in part been contributed to the rise in ransomware gangs using affiliates to attack their intended targets. The ransomware as a service (RaaS) model has also become profitable for both affiliates and ransomware providers, further pushing the boundaries of what is needed to launch an attack.
However, a recent leak by a vengeful affiliate exposes what goes on behind the curtains of these cybercriminal gangs and how they operate their ransomware as a service business. Reports indicate that an affiliate with links to Conti Gang has leaked the playbook of the ransomware gang after a disagreement over compensation for their attacks.
Conti ransomware gang not new to veterinary practices
Late last year, the Conti ransomware gang indicated that they had successfully carried out an attack on Neel veterinary hospital. At the time, they also tried to negotiate with the veterinary practice for the payment of ransom so the company can get their data back.
Conti cybercriminal group has also been behind other high profile attacks, including attacks on Fourth District Court of Louisiana, Volkswagen Group and BostonCouch. Once the group successfully attacks an organization, they are notorious for their extortion methods, including publishing unauthorized materials on the web to compel their victims to pay the ransom.
Leaked details of Conti ransomware gang operations
The leaking of Conti ransomware gang operations is good news for veterinary practices, as it offers a glimpse of how they conduct their business and offers insight into how practices can protect themselves against the ransomware gang.
Among details leaked by the affiliate, cybercriminals include the IP addresses for Cobalt Strike C2 servers. These IP addresses are the group’s command and control servers (C2) that they use to launch their attacks, send messages, receive messages and deliver decryption keys to paying victims.
The leak about the servers was significant because potential victims of the Conti cybercriminal can protect themselves against their attack by blocking the IP addresses of these c2 servers.
The Conti group cybercriminal affiliate also provided learning materials they use in training. These materials contained information about how Conti performs ransomware attacks, including how they chose their targets.
According to a cybersecurity expert, Vitali Kremez, the training materials, which were part of the 113MB released by the affiliate, were legit, based on years of experience dealing with attacks from the Conti group.
The leak also revealed programs used by the ransomware group and how they are launched and operated. Although many experts who saw these programs indicated that the programs were already known in the cybersecurity space, the leak can provide insight to veterinary practices about the programs that are used to attack their practices.
Payments to affiliates
The leaked report came to light as a result of disagreement on the amount of payment that the affiliate group was supposed to pocket after launching a successful cyber attack.
The disagreement highlighted an important part of how the ransomware as a service (RaaS) model does not work for everybody involved during operation. According to the affiliate cybercriminal group, they had an agreement with the group, where they were supposed to be paid 70 percent of the payment after a successful ransomware attack.
However, after the attack, the Conti ransomware gang refused to honor their agreement and instead sent only $1,500. This angered the affiliate group because they felt they did most of the heavy lifting; they had data that showed that the group was paid much more and hence deserved more money.
The internal wrangles of the ransomware groups were also an indication that these organizations were not running as effectively as the image they have tried very hard to portray.
Takeaways for veterinary practices
The leaked report against the Conti ransomware gang was a win for veterinary practices after the ransomware gang attacked multiple practices, including Neel Veterinary Hospital.
However, the biggest takeaway about the leak should be on how actual ransomware attacks are now being carried out by amateurs who are recruited using various social media platforms with the premise of making quick money. The very idea that these groups are able to assemble a team, train them, offer them hacking tools and every other resource that they may need to launch an attack should be of concern to veterinary practices that don’t take cybersecurity seriously.
The leaks also showed proof of how spoils of ransomware attacks are shared between the cybercriminals involved. Monetary motivation being the top reason for ransomware attacks, veterinary practices that appear to be on the rise should expect to be attacked by these groups. The only solution to prevent such attacks is improving security measures employed on veterinary practices and contacting a cybersecurity expert as soon as you notice you are under attack.
Want to know if your hospital is prepared for a cyber attack?
Schedule your veterinary cyber security audit today. It generally takes about 3 weeks to complete and will have no impact on your day to day operations! The best part is you will come away with a complete incident response plan to turn a cyber attack into a minor inconvenience from a major disaster.