Infection Vectors: Spam emails, Phishing, Spear-phishing, Vulnerability exploitation, Malware distribution networks, Stolen credential, Fake software
Attack Sectors: Information Technology, Government, Legal Services, Enterprise Services, Real Estate, Healthcare, Education, Transportation, Manufacturing, Electronics, NGOs, and Finance
Targeted Regions: North America, Western Europe, Eastern Europe, Eastern Asia
Motive: Data theft, Financial gains (via Ransom)
Active since 2020, the Conti ransomware actors specifically target Microsoft Windows-based systems. The group operates as Ransomware-as-a-Service (RaaS) and is believed to have a Russian-speaking background. As observed, the Conti gang prefers to target organizations that quickly prioritize restoring and using their encrypted data, such as critical and emergency services. A report by Swiss security firm Prodaft revealed that the Conti group collected nearly $25.5 million in ransom over the past five months (as of November 2021). Its operators are known for threatening the non-paying victims by leaking stolen data on their designated data leak site.
Along with honing the skills for the double extortion scheme, the Conti group mastered a methodology to remove backups as well which restricts a victim’s ability to restore the encrypted/stolen data. Thus far, the group remains active.
Infection and Execution
The attack strategies by Conti can be split into a two-phase process.
First Phase - Initial Access
In the first phase of the attack, operators of Conti gain initial access to networks using different techniques. It has been observed leveraging spear-phishing campaigns as well as dropping malicious Word attachments (with scripts that can be used to download or drop other malware such as TrickBot and IcedID). The group often uses Cobalt Strike for lateral movement and further stages of attack with the ultimate goal of deploying Conti ransomware. Moreover, the group makes use of other techniques as well, such as stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, malware distribution networks (e.g., ZLoader), and exploiting common vulnerabilities that exist in external assets.
Second Phase - Execution
In the execution phase, the attackers run a status check (via a getuid payload) before executing a more lethal payload to limit any potential risk of triggering antivirus engines. The CISA and FBI have revealed that Conti actors use the penetration testing tool called RouterScan to scan and brute force routers, cameras, and Network-attached Storage (NAS) devices with web interfaces.
Further, the attackers employ Kerberos attacks to get the Admin hash for carrying out the brute force attacks.
For maintaining persistence on victim networks, hackers use genuine remote monitoring and management software and remote desktop software as backdoors. They use already available tools on the victim network, such as Windows Sysinternals and Mimikatz, to collect users’ hashes and clear-text credentials. These credentials enable escalation of privileges within a domain and then carry out other post-exploitation and lateral movement tasks. In some cases, TrickBot is used to perform post-exploitation tasks. In August 2021, a so-called angry affiliate of Conti leaked a playbook carrying information about the group’s operations. A detailed analysis of this playbook revealed that they attempted to exploit several vulnerabilities in unpatched assets to move laterally and escalate privileges. These flaws include 2017 Windows Server Message Block 1.0 server vulnerabilities, ProxyShell vulnerabilities, PrintNightmare vulnerability (CVE-2021-34527) in Windows Print spooler service, and Zerologon vulnerability (CVE-2020-1472) in Active Directory Domain Controller systems. The artifacts leaked with the playbook revealed four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server. It has been observed that Conti uses different Cobalt Strike server IP addresses for different victims. Besides Windows Sysinternals and Mimikatz, Conti members sometimes used the Rclone tool for data exfiltration. After the actors steal and encrypt the victim’s sensitive data, they use the double extortion technique to demand ransom for the release of the encrypted data and further threaten the victim to publically leak data if the ransom is not paid.
According to the FBI, Conti is responsible for more than 400 cyberattacks against organizations around the world, of which 75% are located in the U.S. The group is mostly observed targeting mid to large size enterprises such as Nordic Choice Hotels, Health Service Executive, Kisters AG, Graff, Global Sales Solutions Line, Florida’s Broward County Public Schools (in which hackers demanded a whopping $40 million), and many more. The ransom amounts are based on the size of the organization and its ability to pay. Conti has a reputation of targeting organizations where IT outages can lead to life-threatening situations such as hospitals, emergency medical services, emergency number dispatch carriers, and law enforcement agencies.
Ninja Technique of Destroying Backups
In case if the targeted victim has a backup of the data encrypted by Conti and they are capable of restoring the files, Conti has advanced backup-removal expertise. The group brings the ability to hamper backing up data from Veeam, a disaster-recovery firm that specializes in backup software. The group regularly starts its attacks by targeting victims via spam messages and then installing the Cobalt Strike Beacon. It then uses a remote management agent known as Atera or AnyDesk for persistence in a targeted network. The use of Atera allows the attackers to hide the detection of Cobalt Strike from the endpoint detection platforms. Besides Atera, the group sometimes uses a cross-platform application, Ngrok, to create a tunnel to the local host for the exfiltration of data without raising any flags. At last, to make sure that a victim cannot recover the backup data, the attackers lock the victim’s system and then manually remove the Veeam backups that do not leave victims with too many options.
Moreover, the group recruits affiliates that have experience and skills for backup identification, localization, and deactivation.
To prevent attacks from Conti, experts suggest frequent employee training and implementation of email security protocols. Organizations are recommended to track externally exposed endpoints to mitigate VPN compromise and TrickBot delivery. It is suggested to implement network-hierarchy protocols to stop the lateral movement inside the network. Moreover, they should regularly audit or block command-line interpreters with the use of whitelisting tools and proper logging of process execution with command-line arguments. This can help in identifying data exfiltration command-line interface activities such as Rclone. Experts also recommend implementing special security protocols, password updates along with account-security actions for Veeam to stop the account takeover of Veeam.
Conti has been active for more than a year and is already considered one of the most dangerous ransomware that has left no option for organizations to recover their data. The group follows the tactic of even destroying backup to bring victim organizations to their knees. Therefore, for a grave threat like Conti, organizations need to up their ante to defend themselves. Moreover, the group is still at large and expected to continue its operations.
Indicators of Compromise
Encrypted Files Extension
Ransom Demand Message
Cyber Criminal Contact
C:\documents and settings\conti_readme[.]txt