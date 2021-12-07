We can all imagine how important it is for a manufacturer and seller of toys to suffer an accident in its commercial chain that could put it in difficulty, at least from the point of view of the waste of energy: this is what happened to the Italian company Clementoni. , based in Recanati, due to a cyber attack on corporate infrastructure which appears to be dated December 4th.

Initially, on Sunday 5 December, the news of some inconveniences suffered by the employees, busy for several hours to restore some procedures of the CED, was leaked.

Today, December 6, in addition to the news that may have leaked inside the company, we all came into contact with a second truth: in fact, the criminal group connected to the Conti ransomware, claimed responsibility for the attack on its public site, which was used as a showcase for victims’ leaks.

The Conti ransomware strikes again: there is data theft

Another ransomware attack, therefore, which affects the Italian corporate infrastructure by the same criminal gang that had recently already attacked the San Carlo, Argos SpA and the Municipality of Turin. The only fact that the criminal group provides this time around is the magnitude of the theft. In fact, on one’s own ad, it is dimensioned in 111 GB of data exfiltrated from the Clementoni network.

We cannot yet know what kind of data have been stolen, the company for its part has not yet made official communication of the incident and we are not sure that this will happen in the future. Surely it will be a story subject to updates in the coming days.

We certainly know (because we have learned to analyze the work of the Conti gang) that the Italian company Clementoni has been subjected to a ransom offer, even if it is not known at the time of what amount, in order to guarantee non-disclosure. of what was stolen from their network (at least according to the criminals).

What we know about Conti ransomware

Conti ransomware is a criminal group characterized by the speed with which it encrypts data and spreads laterally within the infrastructure.

It is thought that the action of this malware is led by a Russian-based group known under the alias Wizard Spider.

The group is using phishing attacks to install the TrickBot and BazarLoader trojans in order to gain remote access to infected machines.

The e-mail used confirms that it comes from a sender that the victim trusts and uses a link (URL) to direct the user to a document created ad hoc. The document on Google Drive, in fact, has a malicious payload and, once downloaded, the download of a Bazaar backdoor malware will also start, which connects the victim’s device to the Conti command and control server.

The moment it is active on the compromised machine, the Conti ransomware encrypts the data and then uses a two-step extortion scheme.

Conti ransomware and the double extortion technique

There double extortion, also known as pay-now-or-get-breached, refers to a recently growing ransomware strategy. In fact, in the early days of the emergence of various types of ransomware, the malware was only concerned with encrypting the data it found at hand and a ransom was required to obtain the decryption key so that it could have this data again.

As backups started creating financial problems for ransomware groups, double extortion began to arise. After completing the first part of the infectious chain just described, we add the fact that the criminal gang (by exporting the encrypted data from the victim network) sets up a website with which it threatens the public disclosure of stolen data, as well as encrypted.

Data theft is almost always followed by the publication of a sample of these data, demonstrating the real illicit ownership of the claimed data, unless otherwise agreed by criminals from time to time with the victim of reference.

What we learn from the new ransomware attack

As we have seen, therefore, the complexity of this incident and all the consequences that follow it, even on a legal level, for the loss of data (which can be more or less sensitive), often starts from a harmful phishing e-mail. , well disguised, which manages to capture the attention of some employees inside the victim company.

All this can often be avoided with good digital hygiene and safety culture at all professional levels.

Not only can CISOs have to deal with cybersecurity problems, but anyone who comes into contact with digital tools and connected to the Internet (nowadays therefore every employee of almost any company).

