Share Blog Post
Origin: 2020
Alias: Ransom.Conti
Infection Vectors: Spam emails, Phishing, Spear-phishing, Vulnerability exploitation, Malware distribution networks, Stolen credential, Fake software
Targeted Sectors: Information Technology, Government, Legal Services, Enterprise Services, Real Estate, Healthcare, Education, Transportation, Manufacturing, Electronics, NGOs, and Finance
Targeted Regions: North America, Western Europe, Eastern Europe, Eastern Asia
Motive: Data theft, Financial gains (via Ransom)
Introduction
Active since 2020, the Conti ransomware actors specifically target Microsoft Windows-based systems. The group operates as Ransomware-as-a-Service (RaaS) and is believed to have a Russian-speaking background. As observed, the Conti gang prefers to target organizations that quickly prioritize restoring and using their encrypted data, such as critical and emergency services. A report by Swiss security firm Prodaft revealed that the Conti group collected nearly $25.5 million in ransom over the past five months (as of November 2021). Its operators are known for threatening the non-paying victims by leaking stolen data on their designated data leak site.
Along with honing the skills for the double extortion scheme, the Conti group mastered a methodology to remove backups as well which restricts a victim’s ability to restore the encrypted/stolen data. Thus far, the group remains active.
Infection and Execution
The attack strategies by Conti can be split into a two-phase process.
First Phase - Initial Access
In the first phase of the attack, operators of Conti gain initial access to networks using different techniques. It has been observed leveraging spear-phishing campaigns as well as dropping malicious Word attachments (with scripts that can be used to download or drop other malware such as TrickBot and IcedID). The group often uses Cobalt Strike for lateral movement and further stages of attack with the ultimate goal of deploying Conti ransomware. Moreover, the group makes use of other techniques as well, such as stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, malware distribution networks (e.g., ZLoader), and exploiting common vulnerabilities that exist in external assets.
Second Phase - Execution
In the execution phase, the attackers run a status check (via a getuid payload) before executing a more lethal payload to limit any potential risk of triggering antivirus engines. The CISA and FBI have revealed that Conti actors use the penetration testing tool called RouterScan to scan and brute force routers, cameras, and Network-attached Storage (NAS) devices with web interfaces. Further, the attackers employ Kerberos attacks to get the Admin hash for carrying out the brute force attacks.
For maintaining persistence on victim networks, hackers use genuine remote monitoring and management software and remote desktop software as backdoors. They use already available tools on the victim network, such as Windows Sysinternals and Mimikatz, to collect users’ hashes and clear-text credentials. These credentials enable escalation of privileges within a domain and then carry out other post-exploitation and lateral movement tasks. In some cases, TrickBot is used to perform post-exploitation tasks.
In August 2021, a so-called angry affiliate of Conti leaked a playbook carrying information about the group’s operations. A detailed analysis of this playbook revealed that they attempted to exploit several vulnerabilities in unpatched assets to move laterally and escalate privileges. These flaws include 2017 Windows Server Message Block 1.0 server vulnerabilities, ProxyShell vulnerabilities, PrintNightmare vulnerability (CVE-2021-34527) in Windows Print spooler service, and Zerologon vulnerability (CVE-2020-1472) in Active Directory Domain Controller systems. The artifacts leaked with the playbook revealed four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server. It has been observed that Conti uses different Cobalt Strike server IP addresses for different victims.
Besides Windows Sysinternals and Mimikatz, Conti members sometimes used the Rclone tool for data exfiltration. After the actors steal and encrypt the victim’s sensitive data, they use the double extortion technique to demand ransom for the release of the encrypted data and further threaten the victim to publically leak data if the ransom is not paid.
The Targets
According to the FBI, Conti is responsible for more than 400 cyberattacks against organizations around the world, of which 75% are located in the U.S. The group is mostly observed targeting mid to large size enterprises such as Nordic Choice Hotels, Health Service Executive, Kisters AG, Graff, Global Sales Solutions Line, Florida’s Broward County Public Schools (in which hackers demanded a whopping $40 million), and many more. The ransom amounts are based on the size of the organization and its ability to pay. Conti has a reputation of targeting organizations where IT outages can lead to life-threatening situations such as hospitals, emergency medical services, emergency number dispatch carriers, and law enforcement agencies.
Ninja Technique of Destroying Backups
In case if the targeted victim has a backup of the data encrypted by Conti and they are capable of restoring the files, Conti has advanced backup-removal expertise. The group brings the ability to hamper backing up data from Veeam, a disaster-recovery firm that specializes in backup software. The group regularly starts its attacks by targeting victims via spam messages and then installing the Cobalt Strike Beacon. It then uses a remote management agent known as Atera or AnyDesk for persistence in a targeted network. The use of Atera allows the attackers to hide the detection of Cobalt Strike from the endpoint detection platforms. Besides Atera, the group sometimes uses a cross-platform application, Ngrok, to create a tunnel to the local host for the exfiltration of data without raising any flags. At last, to make sure that a victim cannot recover the backup data, the attackers lock the victim’s system and then manually remove the Veeam backups that do not leave victims with too many options.
Moreover, the group recruits affiliates that have experience and skills for backup identification, localization, and deactivation.
Preventive Measures
To prevent attacks from Conti, experts suggest frequent employee training and implementation of email security protocols. Organizations are recommended to track externally exposed endpoints to mitigate VPN compromise and TrickBot delivery. It is suggested to implement network-hierarchy protocols to stop the lateral movement inside the network. Moreover, they should regularly audit or block command-line interpreters with the use of whitelisting tools and proper logging of process execution with command-line arguments. This can help in identifying data exfiltration command-line interface activities such as Rclone. Experts also recommend implementing special security protocols, password updates along with account-security actions for Veeam to stop the account takeover of Veeam.
Conclusion
Conti has been active for more than a year and is already considered one of the most dangerous ransomware that has left no option for organizations to recover their data. The group follows the tactic of even destroying backup to bring victim organizations to their knees. Therefore, for a grave threat like Conti, organizations need to up their ante to defend themselves. Moreover, the group is still at large and expected to continue its operations.
Indicators of Compromise
Encrypted Files Extension
.CONTI
Ransom Demand Message
CONTI_README[.]txt
Cyber Criminal Contact
mantiticvi1976@protonmail[.]com
fahydremu1981@protonmail[.]com
frosculandra1975@protonmail[.]com
trafyralhi1988@protonmail[.]com
sanctornopul1986@protonmail[.]com
ringpawslanin1984@protonmail[.]com
liebupneoplan19@protonmail[.]com
stivobemun1979@protonmail[.]com
guifullcharti1970@protonmail[.]com
phrasitliter1981@protonmail[.]com
elsleepamlen1988@protonmail[.]com
southbvilolor1973@protonmail[.]com
glocadboysun1978@protonmail[.]com
carbedispgret1983@protonmail[.]com
listun@protonmail[.]com
mirtum@protonmail[.]com
maxgary777@protonmail[.]com
ranosfinger@protonmail[.]com
bootsdurslecne1976@protonmail[.]com
rinmayturly1972@protonmail[.]com
niggchiphoter1974@protonmail[.]com
lebssickronne1982@protonmail[.]com
daybayriki1970@protonmail[.]com
MD5
196b1e6992650c003f550404f6b1109f
SHA1
6b1213966652f31cc333d9f1db64cb520c2256ec
SHA256
844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
SSDEEP
384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr
Files Dropped
C:\conti_readme[.]txt
C:\documents and settings\conti_readme[.]txt
C:\far2\addons\colors\conti_readme[.]txt
C:\far2\addons\conti_readme[.]txt
C:\far2\conti_readme[.]txt
D:\conti_readme[.]txt
<REM_DRIVE>:\1189[.]jpeg
<REM_DRIVE>:\1189[.]jpeg[.]conti
<REM_DRIVE>:\1189[.]jpg
<REM_DRIVE>:\1189[.]jpg[.]conti
Processes Created
<PATH_SAMPLE[.]EXE>
%WINDIR%\syswow64\cmd[.]exe
<SYSTEM32>\conhost[.]exe
%WINDIR%\syswow64\vssadmin[.]exe
<SYSTEM32>\vssvc[.]exe
Tags
Posted on: December 17, 2021
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
