Conti initiates their attacks on Backup

Cyber groups (cartels) specifically target backup solutions in order to ensure that the victim has no other option except for paying the ransom. Conti group is particularly methodical in developing and implementing backup removal techniques (on-premise and cloud). The full analysis is available here (thanks to ADV INTEL) and is based on their actual proactive victim breach intelligence and subsequent incident response (not a simulated or sandbox environment). Defense-in-depth strategy is the solution and concerns your backup environment…


Conti versus Veeam:

Conti hunts for Veeam privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-”backupable”. This way, Conti simultaneously exfiltrated the data for further victim blackmailing, while leaving the victim with no chances to quickly recover their files as the backups are removed.

Conti initiates their attacks via spam messages with direct Cobalt Strike beacon backdoor delivery:


Please, always remember that a disaster is not a question of IF but WHEN. So be prepared from a logistical point of view by following the upgraded 3-2-1-1-0 backup rule and Veeam will get you covered from the technology side. Data protection is not a question of product but of architecture, and more especially “architecture secure by design“. Like Veeam did for this customer, who opened a Severity 4 support case a few weeks ago just to tell them the following.

Veeam’s customer feedback (RETEX):

Your product saved our company! We were hit last Saturday at 2:30 am by the Conti strain of Ransomware. Every single server (40+-), every single desktop both virtual and physical (200+-) were rendered useless. All data of every kind is gone. We immediately went into offline restore mode while contacting FBI/Homeland Security and our CyberSecurity Insurance company who put us in touch with a high-level forensics team. While bringing all things back up we changed over 400 passwords for users/services/etc and by Tuesday we were back in operation. Having Veeam on a separate “non-domain” host/server with distinct credentials and the quality of your product has kept this company in business without paying ONE DAMN DOLLAR in ransom! Please pass this HUGE THANK YOU around to your team and celebrate with us as I will NEVER consider an alternative to this product and I will shout it to the rooftops to every tech/exec that I know. [name redacted] CIO. (Source: Anton Gostev’s Weekly Word).


Protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Immutable (Veeam Immutable Backup feature, Retention Time Lock with ExaGrid, AWS S3, etc.), Hardening (server, storage, OS..), maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks pass by the Active Directory), and password hygiene, anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts (svc_veeam / svc_backup) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Conti without their demanded ransom money.

About Conti:

Conti is a top-tier Russian-speaking ransomware group specializing in double extortion operations of simultaneous data encryption and data exfiltration. Though Conti does utilize the blackmailing aspect of data exfiltration, threatening the victims to publish stolen files, if the ransom is not paid, the main leverage in Conti negotiations is data encryption based on our deeper visibility.

Conti works as RaaS (Ransomware as a Service) model, such as Egregor:

The RaaS platform provides the undetectable binaries to affiliated attackers with services identical to a company: Presale, Sale, After-sale support, and services.

Conti is one of the more aggressive and complex ransomware families focused on backup environments to hit in the last months. As with other contemporary threats, the damage being done extends well beyond the cost of the ransom (which you should avoid), and now also includes any penalties associated with data breaches, public posting of private data, GDPR / compliance fallout, and beyond.

Backup with Trusted Repository Storage: Blog Post.
Step by Step Guide Veeam B&R 11 Upgrade: Guide.
Veeam CDP and Application consistency: Blog Post.
Veeam improves the engine in version 11: Blog Post.
Veeam B&R v11 and ReFS: Blog Post.
Veeam B&R 11 – Continuous Data Protection: Blog Post.
Microsoft Teams Backup with VBO v5: Blog Post.
Protect your Backup against Ransomware: Blog Post.

Christopher GLEMOT

Data Management & Security Team Leader | Technical specialist around Data, Security, Backup, Disaster Recovery, Cloud, Governance, Virtualization and Storage | Veeam Vanguard 2016-21 & VMCE | Founder of | Owner of
Please follow and like us:

4 pings

  1. […] Conti initiates their attacks on Backup […]

  2. […] Veeam is not affected by Log4J vulnerability: Blog Post Conti initiates their attacks on Backup: Blog Post Backup with Trusted Repository Storage: Blog Post. Step by Step Guide Veeam B&R 11 Upgrade: […]

  3. […] feel that if data is connected to a network, it can be accidentally deleted or susceptible to ransomware. The traditional method of air gapping data for protection meant that an organization’s data was […]

  4. […] feel that if data is connected to a network, it can be accidentally deleted or susceptible to ransomware. The traditional method of air gapping data for protection meant that an organization’s data was […]

Leave a Reply


Enjoy this blog? Please spread the word :)