Conti Ransomware

In this article, we will discuss Conti Ransomware in detail. We’ll present our analysis results and the tactics, techniques, and procedures (TTP). Let's look at some interesting facts about vulnerabilities explored in the Conti Ransomware attack.

Introduction

The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.

HISTORY

Since 2020, Conti has been making headlines consistently. A joint advisory was issued by the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) to the organizations about the malicious threat posed by the ransomware group and the vulnerabilities it exploits. According to the advisory FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks, Conti ransomware has been used in more than 400 attacks against U.S. and international organizations. A typical Conti ransomware attack involves malicious cyber actors stealing files, encrypting servers and workstations, and demanding ransom payments to access those files.

According to the advisory, CISA, FBI, and the National Security Agency (NSA) recommend implementing mitigation measures such as multifactor authentication (MFA), network segmentation, and updating operating systems & software to mitigate the Conti ransomware.

Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following are a few recent incidents involving the Conti group.

Recently Conti pledged loyalty to the government of Russia

During the Russia - Ukraine War in 2022, the Conti ransomware gang pledged its allegiance to the Russian government. It warned of performing retaliatory attacks on the critical infrastructure of any nation that opposed the war-planned cyberattacks against Russia.

Tactics, Techniques, and Procedures

The group is using phishing attacks within the organization to install the TrickBot, IcedID, Cobalt Strike, and BazarLoader trojans to gain remote access to the compromised machines. Conti actors exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. According to our analysis of multiple malicious attacks involving the Conti ransomware, we believe the following attack vector is their overall strategy:

Initial Access:

• Phishing and Spear-Phishing Campaigns
• Exploit Vulnerable External Assets like Firewalls
• Internet-facing RDP (Remote Desktop Protocol) Servers

Execution:

• Scan the internal Servers, endpoints, backups, sensitive data
• Gather Live IP addresses and Ports by using popular port scanners like ‘Angry IP Scanner,’ ‘Advanced Port Scanner,’ or RouterScan to compile a list of IP addresses.

Persistence

• Used RDP and remote monitoring software to maintain persistence.
• Install Backdoors like BazarLoader and create processes and registry entries to maintain persistence.

Privilege Escalation:

• Use tools like Mimikatz to escalate the privileges and gain Domain administrator privileges or equivalent

Defense Evasion

• Disable security measures so that they may move laterally around the network without being noticed

Credential Access

• Dump Credentials using popular post-exploitation tools like Mimikatz, Windows SysInternals, etc.

Lateral Movement

• Use RCE (remote code execution) vulnerability to distribute to all servers identified.
• Inject in Logon scripts and Batch scripts to loop over the list of IP addresses to deploy the code to as many servers as possible in GPO for whenever the computer starts up and joins the domain

Command and Control

• Used four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server

Exfiltration

• Exfiltrate as much data as possible in a variety of methods. The files can be saved on their server, transmitted through email, or uploaded to one or more anonymous cloud storage containers.
• Used the Rclone tool for data exfiltration

CONTI TTP - MITRE ATT&CK Mapping

According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix.

Table 1: Conti ATT&CK techniques for enterprise

How does Conti Work?

When executed, it will encrypt files and change their file extension [.]ODMUA. It will leave a ransom note in the form of a text file named "readme.txt.”

Indicators of Compromise

Domains

Encrypted Files Extension

• [.]CONTI

Ransom Demand Message

• CONTI_README[.]txt

Cyber Criminal Contact

• mantiticvi1976@protonmail[.]com
• fahydremu1981@protonmail[.]com
• frosculandra1975@protonmail[.]com
• trafyralhi1988@protonmail[.]com
• sanctornopul1986@protonmail[.]com
• ringpawslanin1984@protonmail[.]com
• liebupneoplan19@protonmail[.]com
• stivobemun1979@protonmail[.]com
• guifullcharti1970@protonmail[.]com
• phrasitliter1981@protonmail[.]com
• elsleepamlen1988@protonmail[.]com
• southbvilolor1973@protonmail[.]com
• glocadboysun1978@protonmail[.]com
• carbedispgret1983@protonmail[.]com
• listun@protonmail[.]com
• mirtum@protonmail[.]com
• maxgary777@protonmail[.]com
• ranosfinger@protonmail[.]com
• bootsdurslecne1976@protonmail[.]com
• rinmayturly1972@protonmail[.]com
• niggchiphoter1974@protonmail[.]com
• lebssickronne1982@protonmail[.]com
• daybayriki1970@protonmail[.]com

MD5

• 196b1e6992650c003f550404f6b1109f

SHA1

• 6b1213966652f31cc333d9f1db64cb520c2256ec

SHA256

• 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
• 50b3ffd4f5b5ca722b42b8ef3bd93e31afeb9c959a1fea4ab2ba82f9a8a0692f

SSDEEP

• 384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr

Files Dropped

• C:\conti_readme[.]txt
• C:\documents and settings\conti_readme[.]txt
• C:\far2\addons\colors\conti_readme[.]txt
• C:\far2\addons\conti_readme[.]txt
• C:\far2\conti_readme[.]txt
• D:\conti_readme[.]txt
• <REM_DRIVE>:\1189[.]jpeg
• <REM_DRIVE>:\1189[.]jpeg[.]conti
• <REM_DRIVE>:\1189[.]jpg
• <REM_DRIVE>:\1189[.]jpg[.]conti

Processes Created

• <PATH_SAMPLE[.]EXE>
• %WINDIR%\syswow64\cmd[.]exe
• <SYSTEM32>\conhost[.]exe
• %WINDIR%\syswow64\vssadmin[.]exe
• <SYSTEM32>\vssvc[.]exe

IP Addresses

• 162.244.80[.]235
• 85.93.88[.]165
• 185.141.63[.]120
• 82.118.21[.]1

Vulnerabilities

• 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities
• "PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler service
• "Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems

How to Safeguard Against CONTI?

Staying safe from data breaches is possible with the proper knowledge, practices, and reliable solutions. Prevent initial access at any costs. Following are basic mitigations:

• An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTP
• They are patching your OS (Operating System), software, and firmware as soon as manufacturers make essential updates.
• Proper segregation and isolation of internal networks.
• To network systems and accounts, be sure to update passwords regularly. An effective password policy that addresses password complexity and password rotation are vital.
• Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
• Deactivate any ports that aren't used for remote access/Remote Desktop Protocol (RDP).
• Proper system monitoring pipeline for better logging capability, including Powershell, Jscript, etc.
• Employee education is equally important: avoid using the same password for multiple accounts and multiple-factor authentication.
• Cybersecurity education is vital. The best means of preventing such incidents is through cybersecurity education.
• Suspicious emails should be avoided.
• Please do not open attachments or click on links if you receive such an email.
• Double-check that an email is legitimate, especially if it urges you to make a financial transaction.
• Effective and redundant fail-proof backup plans.
• Use multi-factor authentication whenever possible.

How To Detect Ongoing Ransomware Attacks?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).