“They are experienced big-game hunters with a long track record of attacks on the public sector”
The infrastructure of US criminal court has been hit by ransomware, with court documents published online in what is thought to be the first ransomware attack of its kind.
Hacking group/ransomware strain Conti has claimed the attack on the Fourth District Court of Louisiana, and published apparent proof of the attack on its dark web page this week.
It appears to have published documents obtained from the court relating to defendant pleas, witnesses and jurors.
The court’s website remains offline. The Louisiana Supreme Court’s website was also down as we published. It was not clear if infrastructure had been pulled offline for precautionary reasons or if the malware had hit there too.
Computer Business Review has approached the courts for comment.
Brett Callow, threat analyst at New Zealand’s Emsisoft, which closely tracks ransomware attacks, told Computer Business Review: “The group responsible for the attack is Conti, which is likely the same group that created Ryuk. In other words, they’re experienced big game hunters with a long track record of attacks on the public sector.
He added: “This is the first incident that I can recall in which a court’s data has been exfiltrated and published”, noting that it is the 207th ransomware incident hitting a public sector body thus-far in 2020.
(In May courts in Texas were subject to a ransomware attack, though no documents were published online. Court administrators refused to pay the ransom, and it reportedly took two months for the system to return to full functionality.)
Crypto-malware Conti was first spotted in the wild in December 2019, and has become increasingly common in recent months, targeting corporations and now, it seems, public sector bodies. It spreads through networks laterally using a range of techniques to try and obtain domain admin credentials. Once it has the necessary privileges, it deploys the ransomware to encrypt devices on the network.
It includes a range of techniques designed to frustrate incident responders and can execute 160 individual commands – 146 of which focused on stopping potential Windows services. It was first analysed in depth by VMware’s Carbon Black, whose researchers noticed that the Conti ransomware has “multiple anti-analysis features to slow detection and reverse engineering. The primary form is the use of a unique string encoding routine that is applied to almost every string text used by the malware.
“In fact, it is used in 277 different algorithms – one per string. Almost 230 of these algorithms are placed in dedicated subroutines, ballooning the amount of code within the simple program.” (The technique is used to hide the various Windows API calls used by the malware
Analysts have noted the code similarities between Conti and Ryuk, another ransomware which has become less prevalent over recent months. Advanced Intel’s Vitali Kremez noted that Conti uses a similar ransomware note template to Ryuk, and that it appeared to be deploying the same TrickBot infrastructure.