{
	"id": "12843b4a-3f76-4c22-99c3-dc12a23cd7a8",
	"created_at": "2026-04-10T03:21:49.311461Z",
	"updated_at": "2026-04-10T03:22:19.163072Z",
	"deleted_at": null,
	"sha1_hash": "afdab5f7c256d3a536b67558ae4c51a9016fc06f",
	"title": "Suspected Conti Ransomware Activity in the Auto Manufacturing Sector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 432791,
	"plain_text": "Suspected Conti Ransomware Activity in the Auto Manufacturing\r\nSector\r\nBy Josh Hanrahan\r\nPublished: 2022-03-16 · Archived: 2026-04-10 03:17:51 UTC\r\nDragos has observed consistent network communication between Emotet Command and Control (C2) servers and\r\nnumerous auto manufacturing companies. These Emotet servers are suspected to be controlled by the Conti\r\nransomware group.\r\nAt this stage, Dragos has not yet observed any confirmed initial access methods being utilized and does not have\r\nany evidence of ransomware encryption being initiated. The observed communications from the networks are\r\nconsistent with those commonly associated with established footholds. Dragos observed this activity starting in\r\nDecember 2021, but it may have begun prior to that. It has been ongoing until March 2022.\r\nIf systems located in levels 2 to 3 of the Purdue Model such as engineer workstations, historians, or Supervisory\r\nControl and Data Acquisition (SCADA) systems suffer a ransomware infection, the impact on industrial\r\noperations can be severe. Additionally, any ransomware infection occurring on systems in Level 4 of the Purdue\r\nmodel such as Domain Controllers, File Servers or Web Servers can sever key business processes that industrial\r\noperations may be reliant upon.\r\nKey Findings\r\nDragos is observing evidence of multiple automotive manufacturers compromised by Emotet, a malware\r\nstrain and a cybercrime operation, which has precipitated ransomware events in the past.\r\nDragos investigated the Internet Protocol (IP) addresses detailed on twitter by the user @ContiLeaks. This\r\nuser appears to be someone with potential insider knowledge of the Conti ransomware group who is\r\nleaking information due to disagreeing with Conti’s public support of the Russian invasion of Ukraine.\r\nDragos examined the IP addresses in the tweets and noted copious amounts of communication to\r\nconfirmed Emotet C2 nodes.\r\nDragos observed numerous automotive organizations across North America and Japan frequently\r\ncommunicating with the Emotet C2 servers.\r\nCONTI \u0026 EMOTET Adversary Infrastructure\r\nDragos analyzed network telemetry associated with the suspected Conti master C2 server and observed frequent\r\ncommunication between it and a subset of IP addresses that are Emotet C2 nodes, as shown below.\r\nNetwork Indicator Description\r\n82.202.192[.]66 SELECTEL-MSK – Emotet C2\r\nhttps://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/\r\nPage 1 of 4\n\n67.205.162[.]68 Digital Ocean – Emotet C2\r\n188.241.120[.]42 BANDWIDTH-AS – Emotet C2\r\n185.9.18[.]154 M247 – Suspected Conti master C2 server\r\n178.128.83[.]165 Digital Ocean – Emotet \u0026 legacy Dridex C2\r\n162.243.175[.]63 Digital Ocean – Emotet C2\r\n159.65.1[.]71 Digital Ocean – Emotet C2\r\n134.209.156[.]68 Digital Ocean – Emotet C2\r\n159.89.230[.]105 Digital Ocean – Emotet C2\r\n45.184.36[.]10 AS269305 – Emotet C2\r\nDragos further examined network communications between the Emotet C2 nodes and any other IP addresses,\r\nwhich subsequently highlighted traffic consistent with C2 communications between potential victims and the\r\nEmotet C2 servers. Figure 1 below shows our observations.\r\nFigure 1: Adversary Infrastructure\r\nVictimology\r\nAnalysis of the network telemetry from the C2 nodes highlighted continued communication to and from\r\nautomotive related organizations in North America and Japan, including but not limited to:\r\nhttps://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/\r\nPage 2 of 4\n\nThree of the world’s top automakers\r\nA key domestic supplier to one of the world’s top automakers\r\nAn automotive component manufacturer\r\nNot only did victims exhibit network communication consistent with C2 activity to one IP address, but some\r\nvictims were communicating with many of the C2 IP addresses. This indicates that initial access footholds into\r\nthese victim’s networks were well established and have multiple backup controllers if some were to go offline.\r\nDragos has contacted the organizations affected and advised them to enact their incident response playbooks for\r\nransomware events.\r\nRecommendations from Dragos Experts\r\nRansomware can impact critical business functions across both Information Technology (IT) environments and\r\nOperational Technology (OT) environments. If an adversary gains a foothold and systems across the network are\r\nencrypted, business and operational processes can be severely halted, in turn causing a reduction in or cessation of\r\ncritical operations.\r\nDragos advises that IT and OT security staff review the details of this activity in conjunction with their\r\norganizations threat modelling and determine any follow-up actions if appropriate.\r\nDragos also advises that the following action items may be helpful in mitigating or detecting ransomware events\r\nagainst your network:\r\nHunt for ransomware related indicators of compromise on externally facing third-party managed devices as\r\nwell as organization managed devices that have logging available.\r\nMonitor for key Tactics, Techniques and Procedures (TTPs) utilized by ransomware adversaries. The\r\nfollowing techniques, mapped to MITRE’s ATT\u0026CK for Industrial Control Systems (ICS), were observed\r\nin this activity: T0885: Command and Control – Commonly Used Port.\r\nMonitor network traffic for TTPs where prevention methods may be missing malicious activity. For\r\nexample, software misconfiguration of firewalls or web proxies. Additionally, with C2 communication over\r\ncommon ports such as 80 (HTTP) or 443 (HTTPS), analysis of bytes transferred outwards, abnormal user-agents, or connection initiation at a repeated interval can highlight potential C2 beaconing activity.\r\nMonitor East-West network traffic for relevant TTPs and assess if the details of the traffic are in line with\r\nnormal baseline behaviors.\r\nAssess IT and OT connectivity and exposure: Use best practices to secure sections of your network.\r\nAssess your network architecture and security controls separately.\r\nKeep Systems Fully Patched: Patch your IT and OT systems where and when it makes sense to mitigate\r\nvulnerabilities.\r\nRegularly Back up Files to Remote Servers: Restoring your files from a backup is the fastest way to regain\r\naccess to your data.\r\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and\r\nmail filtering.\r\nEnsure networks are properly segmented with separate authentication infrastructure for IT and OT.\r\nhttps://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/\r\nPage 3 of 4\n\nEnsure least privileges and leverage user access control: Implement practices to prevent adversary lateral\r\nmovement and deployment of ransomware in the industrial environment. Least privilege is the concept and\r\npractice of restricting access rights for users, accounts, and computing processes to only the resources\r\nrequired to perform routine, legitimate activities.\r\nRevise or create your incident response plan on how to respond to ransomware events.\r\nReferences\r\nAlert (AA21-265A) Conti Ransomware – CISA (Cybersecurity and Infrastructure Security Agency)\r\nEmotet botnet comeback orchestrated by Conti ransomware gang – Bleeping Computer\r\nConti Ransomware Gang: An Overview – Unit42\r\nConti ransomware gang backs Russia, threatens US – Tech Target\r\nIntroduction to ICS Security Part 2 – SANS\r\nJosh Hanrahan is a Principal Adversary Hunter at Dragos. As part of the Threat Discovery team, Josh is focused\r\non uncovering and tracking threat groups that target ICS organizations globally. More specifically, Josh focuses on\r\nthreats to the electric sector and adversaries focused on the Asia Pacific region.\r\nSource: https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/\r\nhttps://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/"
	],
	"report_names": [
		"suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector"
	],
	"threat_actors": [],
	"ts_created_at": 1775791309,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afdab5f7c256d3a536b67558ae4c51a9016fc06f.pdf",
		"text": "https://archive.orkl.eu/afdab5f7c256d3a536b67558ae4c51a9016fc06f.txt",
		"img": "https://archive.orkl.eu/afdab5f7c256d3a536b67558ae4c51a9016fc06f.jpg"
	}
}