IoT Chipmaker Threated With Additional Data Leaks
A screenshot of the Conti gang’s darknet site claiming to offer data stolen from Advantech
The gang behind the Conti ransomware variant has posted data to its darknet website that it says it stole during a ransomware attack on industrial IoT chipmaker Advantech last month. The company reportedly confirmed the attack on Monday.
The gang has posted several files that can be downloaded. These include two zip files containing 3 GB of data, or what the gang claims is about 2% of the data it removed from Advantech’s database prior to encrypting the company’s data, according to a screenshot of the darknet site provided to ISMG by a source.
“More data will be published in a timely manner. Stay in touch,” Conti says in the post.
Advantech confirmed to Bleeping Computer Monday that it had been hit with ransomware that led to the theft of company documents, but it declined to offer any further details. The news site says the Conti gang demanded $14 million in ransom.
The Taiwanese company has not issued a statement on the incident and has not responded to Information Security Media Group’s requests for comment.
Advantech, which had $1.7 billion in sales in 2019, develops products for industrial IoT intelligent systems and embedded platforms and sells IoT hardware and software.
Conti ransomware is the variant favored by Wizard Spider, the cyber gang that developed and distributes the Trickbot Trojan. Wizard Spider switched to Conti after it took Ryuk offline for several months in late summer while its developers gave the malware a refresh, CrowdStrike researchers reported (see: Trickbot Rebounds After Takedown).
CrowdStrike noted that Ryuk on its own is more dangerous than Conti. But Conti, when combined with BazarLoader, has superior obfuscation abilities.
Conti was introduced in August, and the gang behind it later added the data leak site to support its extortion efforts. CrowdStrike estimates that as of October, 120 networks have been hit with Conti and had their data listed on the Conti data leak site.
“Conti victims span multiple sectors and geographies, the vast majority of which are based in North America and Europe. This opportunistic targeting is indicative of Wizard Spider and wider ransomware operations,” the CrowdStrike report notes.
Since the Conti gang launched the ransomware, it has shifted from fully encrypting files with AES 256 to using what CrowdStrike calls a more strategic and efficient approach of selectively encrypting files with the ChaCha stream cipher.