Indications are that the attackers gain access to victims’ networks via Microsoft Exchange Servers, and then use the incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across the network.
It is not clear how the attackers gain initial access to the Microsoft Exchange Servers.
Victims are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.
The attackers behind this ransomware use a ransom note with a similar design to that used by the LockBit ransomware gang and reference the Conti gang in the email address they use – contact@contipauper[.]com.