In this article, we will discuss Conti Ransomware in detail. We’ll present our analysis results and the tactics, techniques, and procedures (TTP). Let's look at some interesting facts about vulnerabilities explored in the Conti Ransomware attack.
Introduction
The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.
HISTORY
Since 2020, Conti has been making headlines consistently. A joint advisory was issued by the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) to the organizations about the malicious threat posed by the ransomware group and the vulnerabilities it exploits. According to the advisory FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks, Conti ransomware has been used in more than 400 attacks against U.S. and international organizations. A typical Conti ransomware attack involves malicious cyber actors stealing files, encrypting servers and workstations, and demanding ransom payments to access those files.
According to the advisory, CISA, FBI, and the National Security Agency (NSA) recommend implementing mitigation measures such as multifactor authentication (MFA), network segmentation, and updating operating systems & software to mitigate the Conti ransomware.
Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following are a few recent incidents involving the Conti group.
|
Ransomware
Attack Incident |
|
Sector |
Conti Demands |
|
October
25, 2021 - February
18, 2022 |
Distribution |
- |
|
|
February
02, 2022 |
Foods
and Beverages |
- |
|
|
January
21, 2022 |
Manufacturing |
$15
Million ransom |
|
|
January
15, 2022 |
Marketing
Agency |
2.5 GB of
data stolen |
Recently Conti pledged loyalty to the government of Russia
During the Russia - Ukraine War in 2022, the Conti ransomware gang pledged its allegiance to the Russian government. It warned of performing retaliatory attacks on the critical infrastructure of any nation that opposed the war-planned cyberattacks against Russia.
Tactics, Techniques, and Procedures
The group is using phishing attacks within the organization to install the TrickBot, IcedID, Cobalt Strike, and BazarLoader trojans to gain remote access to the compromised machines. Conti actors exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. According to our analysis of multiple malicious attacks involving the Conti ransomware, we believe the following attack vector is their overall strategy:
Initial Access:
- Phishing and Spear-Phishing Campaigns
- Exploit Vulnerable External Assets like Firewalls
- Internet-facing RDP (Remote Desktop Protocol) Servers
Execution:
- Scan the internal Servers, endpoints, backups, sensitive data
- Gather Live IP addresses and Ports by using popular port scanners like ‘Angry IP Scanner,’ ‘Advanced Port Scanner,’ or RouterScan to compile a list of IP addresses.
Persistence
- Used RDP and remote monitoring software to maintain persistence.
- Install Backdoors like BazarLoader and create processes and registry entries to maintain persistence.
Privilege Escalation:
- Use tools like Mimikatz to escalate the privileges and gain Domain administrator privileges or equivalent
Defense Evasion
- Disable security measures so that they may move laterally around the network without being noticed
Credential Access
- Dump Credentials using popular post-exploitation tools like Mimikatz, Windows SysInternals, etc.
Lateral Movement
- Use RCE (remote code execution) vulnerability to distribute to all servers identified.
- Inject in Logon scripts and Batch scripts to loop over the list of IP addresses to deploy the code to as many servers as possible in GPO for whenever the computer starts up and joins the domain
Command and Control
- Used four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server
Exfiltration
- Exfiltrate as much data as possible in a variety of methods. The files can be saved on their server, transmitted through email, or uploaded to one or more anonymous cloud storage containers.
- Used the Rclone tool for data exfiltration
CONTI TTP - MITRE ATT&CK Mapping
According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix.
|
Initial Access |
|
Technique
Title |
ID |
Use |
|
Valid Accounts |
Conti actors have
been observed gaining unauthorized access to victim networks through stolen
Remote Desktop Protocol (RDP) credentials. |
|
|
Phishing:
Spearphishing Attachment |
Conti ransomware can
be delivered using TrickBot malware, which is known to use an email with an
Excel sheet containing a malicious macro to deploy the malware. |
|
|
Phishing:
Spearphishing Link |
Conti ransomware can
be delivered using TrickBot, which has been delivered via malicious links in
phishing emails. |
|
Execution |
|
Technique
Title |
ID |
Use |
|
Command and Scripting
Interpreter: Windows Command Shell |
Conti ransomware can
utilize command line options to allow an attacker control over how it scans
and encrypts files. |
|
|
Native Application
Programming Interface (API) |
Conti ransomware has
used API calls during execution. |
|
Persistence |
|
Technique
Title |
ID |
Use |
|
Valid Accounts |
Conti actors have
been observed gaining unauthorized access to victim networks through stolen
RDP credentials. |
|
|
External Remote
Services |
Adversaries may
leverage external-facing remote services to initially access and/or persist
within a network. Remote services such as virtual private networks (VPNs),
Citrix, and other access mechanisms allow users to connect to internal
enterprise network resources from external locations. There are often remote
service gateways that manage connections and credential authentication for
these services. Services such as Windows Remote Management can also be used
externally. |
|
Privilege Escalation |
|
Technique
Title |
ID |
Use |
|
Process Injection:
Dynamic-link Library Injection |
Conti ransomware has
loaded an encrypted dynamic-link library (DLL) into memory and then executes
it. |
|
Defense Evasion |
|
Technique
Title |
ID |
Use |
|
Obfuscated Files or Information |
Conti ransomware has
encrypted DLLs and used obfuscation to hide Windows API calls. |
|
|
Process Injection:
Dynamic-link Library Injection |
Conti ransomware has
loaded an encrypted DLL into memory and then executes it. |
|
|
Deobfuscate/Decode
Files or Information |
Conti ransomware has
decrypted its payload using a hardcoded AES-256 key. |
|
Credential Access |
|
Technique
Title |
ID |
Use |
|
Brute Force |
Conti actors use
legitimate tools to maliciously scan for and brute force routers, cameras,
and network-attached storage devices with web interfaces. |
|
|
Steal or Forge Kerberos
Tickets: Kerberoasting |
Conti actors use
Kerberos attacks to attempt to get the Admin hash. |
|
|
System Network
Configuration Discovery |
Conti ransomware can
retrieve the ARP cache from the local system by using the |
|
|
System Network
Connections Discovery |
Conti ransomware can
enumerate routine network connections from a compromised host. |
|
|
Process Discovery |
Conti ransomware can
enumerate through all open processes to search for any that have the
string |
|
|
File and Directory
Discovery |
Conti ransomware can
discover files on a local system. |
|
|
Network Share
Discovery |
Conti ransomware can
enumerate remote open server message block (SMB) network shares using |
|
Lateral Movement |
|
Technique
Title |
ID |
Use |
|
Remote Services: SMB/Windows
Admin Shares |
Conti ransomware can
spread via SMB and encrypts files on different hosts, potentially
compromising an entire network. |
|
|
Taint Shared Content |
Conti ransomware can
spread itself by infecting other remote machines via network shared drives. |
|
Impact |
|
Technique
Title |
ID |
Use |
|
Data Encrypted for
Impact |
Conti ransomware can
use |
|
|
Service Stop |
Conti ransomware can
stop up to 146 Windows services related to security, backup, database, and
email solutions through the use of net stop. |
|
|
Inhibit System Recovery |
Conti ransomware can
delete Windows Volume Shadow Copies using |
Table 1: Conti ATT&CK techniques for enterprise
How does Conti Work?
When executed, it will encrypt files and change their file extension [.]ODMUA. It will leave a ransom note in the form of a text file named "readme.txt.”
Indicators of Compromise
Domains
|
badiwaw[.]com |
fipoleb[.]com |
kipitep[.]com |
pihafi[.]com |
tiyuzub[.]com |
Encrypted Files Extension
- [.]CONTI
Ransom Demand Message
- CONTI_README[.]txt
Cyber Criminal Contact
- mantiticvi1976@protonmail[.]com
- fahydremu1981@protonmail[.]com
- frosculandra1975@protonmail[.]com
- trafyralhi1988@protonmail[.]com
- sanctornopul1986@protonmail[.]com
- ringpawslanin1984@protonmail[.]com
- liebupneoplan19@protonmail[.]com
- stivobemun1979@protonmail[.]com
- guifullcharti1970@protonmail[.]com
- phrasitliter1981@protonmail[.]com
- elsleepamlen1988@protonmail[.]com
- southbvilolor1973@protonmail[.]com
- glocadboysun1978@protonmail[.]com
- carbedispgret1983@protonmail[.]com
- listun@protonmail[.]com
- mirtum@protonmail[.]com
- maxgary777@protonmail[.]com
- ranosfinger@protonmail[.]com
- bootsdurslecne1976@protonmail[.]com
- rinmayturly1972@protonmail[.]com
- niggchiphoter1974@protonmail[.]com
- lebssickronne1982@protonmail[.]com
- daybayriki1970@protonmail[.]com
MD5
- 196b1e6992650c003f550404f6b1109f
SHA1
- 6b1213966652f31cc333d9f1db64cb520c2256ec
SHA256
- 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
- 50b3ffd4f5b5ca722b42b8ef3bd93e31afeb9c959a1fea4ab2ba82f9a8a0692f
SSDEEP
- 384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr
Files Dropped
- C:\conti_readme[.]txt
- C:\documents and settings\conti_readme[.]txt
- C:\far2\addons\colors\conti_readme[.]txt
- C:\far2\addons\conti_readme[.]txt
- C:\far2\conti_readme[.]txt
- D:\conti_readme[.]txt
- <REM_DRIVE>:\1189[.]jpeg
- <REM_DRIVE>:\1189[.]jpeg[.]conti
- <REM_DRIVE>:\1189[.]jpg
- <REM_DRIVE>:\1189[.]jpg[.]conti
Processes Created
- <PATH_SAMPLE[.]EXE>
- %WINDIR%\syswow64\cmd[.]exe
- <SYSTEM32>\conhost[.]exe
- %WINDIR%\syswow64\vssadmin[.]exe
- <SYSTEM32>\vssvc[.]exe
IP Addresses
- 162.244.80[.]235
- 85.93.88[.]165
- 185.141.63[.]120
- 82.118.21[.]1
Vulnerabilities
- 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities
- "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service
- "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems
How to Safeguard Against CONTI?
Staying safe from data breaches is possible with the proper knowledge, practices, and reliable solutions. Prevent initial access at any costs. Following are basic mitigations:
- An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTP
- They are patching your OS (Operating System), software, and firmware as soon as manufacturers make essential updates.
- Proper segregation and isolation of internal networks.
- To network systems and accounts, be sure to update passwords regularly. An effective password policy that addresses password complexity and password rotation are vital.
- Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
- Deactivate any ports that aren't used for remote access/Remote Desktop Protocol (RDP).
- Proper system monitoring pipeline for better logging capability, including Powershell, Jscript, etc.
- Employee education is equally important: avoid using the same password for multiple accounts and multiple-factor authentication.
- Cybersecurity education is vital. The best means of preventing such incidents is through cybersecurity education.
- Suspicious emails should be avoided.
- Please do not open attachments or click on links if you receive such an email.
- Double-check that an email is legitimate, especially if it urges you to make a financial transaction.
- Effective and redundant fail-proof backup plans.
- Use multi-factor authentication whenever possible.
How To Detect Ongoing Ransomware Attacks?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).
