Rewterz Threat Alert – Conti Ransomware Group Attacks Indonesia’s Central Bank – Fresh IOCs

Severity

High

Analysis Summary

Conti ransomware family packs multiple unique features, including improving performance and giving its operators the option to only target networked SMB shares. The malware improves performance through the use of “up to 32 simultaneous encryption efforts,” and is likely directly controlled by its operators, which means that it can target network-based resources and skip local files, similarly to what the Sodinokibi ransomware can do. The notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have been destroyed that’s limited to the shares of a server that has no Internet capability, but where there is no evidence of similar destruction elsewhere in the environment.

 Bank Indonesia (BI) is the Central Bank of the Republic of Indonesia. BI has confirmed today that a ransomware attack hit its networks last month. Ransomware payloads were deployed on the systems of the BI employees. 

“We were attacked, but so far so good as we took anticipatory measures and most importantly public services at Bank Indonesia were not disrupted at all,” the head of BI’s communications department, Erwin Haryono, said.

“BI is aware of a ransomware hack last month. We are aware that we have been hit by a cyber attack. This is a crime, it is real, and we are exposed to it,” Haryono added according to local media.

Conti leaked some of the data that was stolen and therefore has taken responsibility for the attack. In all, the ransomware group claims to have 13.88 GB worth of documents to leak if Bank Indonesia doesn’t pay the ransom.
 

Impact

• File Encryption
• Data Theft
• Financial Loss

Indicators of Compromise

MD5

• 9a35dda6735102f5aac7876c73f7863a
• cdf6a63fd74ea83f310a796a9c21c659
• 8ed5f474476b8ac49a1ba0ac9222feae
• b11ea7564115dbf8de1d73c916d8caa2

SHA-256

• 7220bd358f7a359fba4e076252af1c06eddf175463b32a03aa1d59b199c684de
• bda3868320633ed3af8b26997af76d2a5853b3c8d4e2951efec4510809b1011b
• 120fa0aa63598735bd316759edc1de341d089f391adf67b356039f1e706655e7
• 8b26138a0e371f06fb51679c8d89f661c6ace3d35a90e569887a1b14ac5938e7

SHA-1

• a3024cae3ab158800dbaa0f1de903ef12270cd83
• 6637b6960b46f412a15e3a6eadaeda147a27a49b
• 19e127533f8b6ab97cad19c6e5e66c33d092360a
• 5c72eba30754f697f4ed1d0f3b344e4cd3dbd937

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.