BleepingComputer reports that more than 40 companies around the world have been compromised by Conti ransomware affiliates in the ARMattack campaign from Nov. 17 to Dec. 20, 2021, making it one of the group's "most productive" hacking campaigns.
U.S.-based companies were most impacted by the ARMattack hacking spree, while attackers only spent three days between obtaining initial access and system encryption in their shortest successful attack, a report from Group-IB revealed.
"After gaining access to a companys infrastructure, the threat actors exfiltrate specific documents (most often to determine what organization they are dealing with) and look for files containing passwords (both plaintext and encrypted). Lastly, after acquiring all the necessary privileges and gaining access to all the devices they are interested in, the hackers deploy ransomware to all the devices and run it," said researchers.
The report also noted that Conti had been operating around noon until 9 p.m., with affiliates continuously tracking Windows updates and new patch changes, as well as identifying zero-day flaws.
Despite the takedown of the Conti brand in May following the disclosure of its source code and chat messages, Conti has remained the second most active ransomware group in the first quarter and has entered collaborations with smaller ransomware groups.