Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Fraud Risk Management

Conti Ransomware Gang Posts Advantech's Data

IoT Chipmaker Threated With Additional Data Leaks
Conti Ransomware Gang Posts Advantech's Data
A screenshot of the Conti gang's darknet site claiming to offer data stolen from Advantech

The gang behind the Conti ransomware variant has posted data to its darknet website that it says it stole during a ransomware attack on industrial IoT chipmaker Advantech last month. The company reportedly confirmed the attack on Monday.

See Also: The Cost of Underpreparedness to Your Business

The gang has posted several files that can be downloaded. These include two zip files containing 3 GB of data, or what the gang claims is about 2% of the data it removed from Advantech's database prior to encrypting the company's data, according to a screenshot of the darknet site provided to ISMG by a source.

"More data will be published in a timely manner. Stay in touch," Conti says in the post.

Advantech confirmed to Bleeping Computer Monday that it had been hit with ransomware that led to the theft of company documents, but it declined to offer any further details. The news site says the Conti gang demanded $14 million in ransom.

The Taiwanese company has not issued a statement on the incident and has not responded to Information Security Media Group’s requests for comment.

Advantech, which had $1.7 billion in sales in 2019, develops products for industrial IoT intelligent systems and embedded platforms and sells IoT hardware and software.

Conti Ransomware

Conti ransomware is the variant favored by Wizard Spider, the cyber gang that developed and distributes the Trickbot Trojan. Wizard Spider switched to Conti after it took Ryuk offline for several months in late summer while its developers gave the malware a refresh, CrowdStrike researchers reported (see: Trickbot Rebounds After Takedown).

CrowdStrike noted that Ryuk on its own is more dangerous than Conti. But Conti, when combined with BazarLoader, has superior obfuscation abilities.

Conti was introduced in August, and the gang behind it later added the data leak site to support its extortion efforts. CrowdStrike estimates that as of October, 120 networks have been hit with Conti and had their data listed on the Conti data leak site.

"Conti victims span multiple sectors and geographies, the vast majority of which are based in North America and Europe. This opportunistic targeting is indicative of Wizard Spider and wider ransomware operations," the CrowdStrike report notes.

Since the Conti gang launched the ransomware, it has shifted from fully encrypting files with AES 256 to using what CrowdStrike calls a more strategic and efficient approach of selectively encrypting files with the ChaCha stream cipher.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.