Under Attack? Contact Us Start a Free Demo

Conti Ransomware

In this article, we will discuss Conti Ransomware in detail. We’ll present our analysis results and the tactics, techniques, and procedures (TTP). Let's look at some interesting facts about vulnerabilities explored in the Conti Ransomware attack.

Introduction

The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.

Figure 1: The Ransomware Project website shows Conti as the top ransomware gang.
Figure 2: Geographical Distribution of Conti Victims

HISTORY

Since 2020, Conti has been making headlines consistently. A joint advisory was issued by the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) to the organizations about the malicious threat posed by the ransomware group and the vulnerabilities it exploits. According to the advisory FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks, Conti ransomware has been used in more than 400 attacks against U.S. and international organizations. A typical Conti ransomware attack involves malicious cyber actors stealing files, encrypting servers and workstations, and demanding ransom payments to access those files.

According to the advisory, CISA, FBI, and the National Security Agency (NSA) recommend implementing mitigation measures such as multifactor authentication (MFA), network segmentation, and updating operating systems & software to mitigate the Conti ransomware.

Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following are a few recent incidents involving the Conti group.

Ransomware Attack Incident


Time Period
 

Sector

Conti Demands

Meyer Corporation

October 25, 2021 - 

February 18, 2022

Distribution

-

Kenyon Produce Snacks

February 02, 2022

Foods and Beverages

-

Delta Electronics

January 21, 2022

Manufacturing

$15 Million ransom

RR Donnelley

January 15, 2022

Marketing Agency

2.5 GB of data stolen

Recently Conti pledged loyalty to the government of Russia

During the Russia - Ukraine War in 2022, the Conti ransomware gang pledged its allegiance to the Russian government. It warned of performing retaliatory attacks on the critical infrastructure of any nation that opposed the war-planned cyberattacks against Russia.

Figure 3: Conti's Pledge of loyalty to Russians in Russia - Ukraine War in 2022

Tactics, Techniques, and Procedures

The group is using phishing attacks within the organization to install the TrickBot, IcedID, Cobalt Strike, and BazarLoader trojans to gain remote access to the compromised machines. Conti actors exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. According to our analysis of multiple malicious attacks involving the Conti ransomware, we believe the following attack vector is their overall strategy:

Initial Access:

  • Phishing and Spear-Phishing Campaigns
  • Exploit Vulnerable External Assets like Firewalls
  • Internet-facing RDP (Remote Desktop Protocol) Servers

Execution:

  • Scan the internal Servers, endpoints, backups, sensitive data
  • Gather Live IP addresses and Ports by using popular port scanners like ‘Angry IP Scanner,’ ‘Advanced Port Scanner,’ or RouterScan to compile a list of IP addresses.

Persistence

  • Used RDP and remote monitoring software to maintain persistence.
  • Install Backdoors like BazarLoader and create processes and registry entries to maintain persistence.

Privilege Escalation:

  • Use tools like Mimikatz to escalate the privileges and gain Domain administrator privileges or equivalent

Defense Evasion

  • Disable security measures so that they may move laterally around the network without being noticed

Credential Access

  • Dump Credentials using popular post-exploitation tools like Mimikatz, Windows SysInternals, etc.

Lateral Movement

  • Use RCE (remote code execution) vulnerability to distribute to all servers identified.
  • Inject in Logon scripts and Batch scripts to loop over the list of IP addresses to deploy the code to as many servers as possible in GPO for whenever the computer starts up and joins the domain

Command and Control

  • Used four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server

Exfiltration

  • Exfiltrate as much data as possible in a variety of methods. The files can be saved on their server, transmitted through email, or uploaded to one or more anonymous cloud storage containers.
  • Used the Rclone tool for data exfiltration

CONTI TTP - MITRE ATT&CK Mapping

According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix.

Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials. 

Phishing: Spearphishing Attachment 

T1566.001

Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware.

Phishing: Spearphishing Link 

T1566.002

Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.

Execution

Technique Title

ID

Use

Command and Scripting Interpreter: Windows Command Shell 

T1059.003

Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files.

Native Application Programming Interface (API) 

T1106

Conti ransomware has used API calls during execution.

Persistence

Technique Title

ID

Use

Valid Accounts

T1078

Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials. 

External Remote Services

T1133

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Privilege Escalation

Technique Title

ID

Use

Process Injection: Dynamic-link Library Injection

T1055.001

Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it. 

Defense Evasion

Technique Title

ID

Use

Obfuscated Files or Information 

T1027

Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls.

Process Injection: Dynamic-link Library Injection

T1055.001

Conti ransomware has loaded an encrypted DLL into memory and then executes it.

Deobfuscate/Decode Files or Information 

T1140

Conti ransomware has decrypted its payload using a hardcoded AES-256 key.

Credential Access

Technique Title

ID

Use

Brute Force

T1110

Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces.

Steal or Forge Kerberos Tickets: Kerberoasting

T1558.003

Conti actors use Kerberos attacks to attempt to get the Admin hash.

System Network Configuration Discovery 

T1016

Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems.

System Network Connections Discovery 

T1049

Conti ransomware can enumerate routine network connections from a compromised host.

Process Discovery

T1057

Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name.

File and Directory Discovery 

T1083

Conti ransomware can discover files on a local system.

Network Share Discovery

T1135

Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum().

Lateral Movement

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares 

T1021.002

Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.

Taint Shared Content

T1080

Conti ransomware can spread itself by infecting other remote machines via network shared drives.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Conti ransomware can use CreateIoCompletionPort()PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe.dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use "Windows Restart Manager" to ensure files are unlocked and open for encryption.

Service Stop

T1489

Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.

Inhibit System Recovery

T1490

Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.

Table 1: Conti ATT&CK techniques for enterprise

How does Conti Work?

Figure 4: Typical Ransomware Note

When executed, it will encrypt files and change their file extension [.]ODMUA. It will leave a ransom note in the form of a text file named "readme.txt.”

Figure 5: The 1st batch of file extensions to be checked
Figure 6: The 2nd batch of file extensions to be checked
Figure 7: Conti’s encryption method
Figure 8: Encrypted files with.ODMUA extension
Figure 9: The Conti ransom note
Figure 10: The Conti Recovery website

Indicators of Compromise

Domains

badiwaw[.]com
balacif[.]com
barovur[.]com
basisem[.]com
bimafu[.]com
bujoke[.]com
buloxo[.]com
bumoyez[.]com
bupula[.]com
cajeti[.]com
cilomum[.]com
codasal[.]com
comecal[.]com
dawasab[.]com
derotin[.]com
dihata[.]com
dirupun[.]com
dohigu[.]com
dubacaj[.]com
fecotis[.]com

fipoleb[.]com
fofudir[.]com
fulujam[.]com
ganobaz[.]com
gerepa[.]com
gucunug[.]com guvafe[.]com
hakakor[.]com
hejalij[.]com
hepide[.]com
hesovaw[.]com
hewecas[.]com
hidusi[.]com
hireja[.]com
hoguyum[.]com
jecubat[.]com
jegufe[.]com
joxinu[.]com
kelowuh[.]com
kidukes[.]com

kipitep[.]com
kirute[.]com
kogasiv[.]com
kozoheh[.]com
kuxizi[.]com
kuyeguh[.]com
lipozi[.]com
lujecuk[.]com
masaxoc[.]com
mebonux[.]com
mihojip[.]com
modasum[.]com
moduwoj[.]com
movufa[.]com
nagahox[.]com
nawusem[.]com
nerapo[.]com
newiro[.]com
paxobuy[.]com
pazovet[.]com

pihafi[.]com
pilagop[.]com
pipipub[.]com
pofifa[.]com
radezig[.]com
raferif[.]com
ragojel[.]com
rexagi[.]com
rimurik[.]com
rinutov[.]com
rusoti[.]com
sazoya[.]com
sidevot[.]com
solobiv[.]com
sufebul[.]com
suhuhow[.]com
sujaxa[.]com
tafobi[.]com tepiwo[.]com
tifiru[.]com

tiyuzub[.]com
tubaho[.]com
vafici[.]com
vegubu[.]com
vigave[.]com
vipeced[.]com
vizosi[.]com
vojefe[.]com
vonavu[.]com
wezeriw[.]com
wideri[.]com
wudepen[.]com
wuluxo[.]com
wuvehus[.]com
wuvici[.]com
wuvidi[.]com
xegogiv[.]com
xekezix[.]com

Encrypted Files Extension

  • [.]CONTI

Ransom Demand Message

  • CONTI_README[.]txt

Cyber Criminal Contact

  • mantiticvi1976@protonmail[.]com
  • fahydremu1981@protonmail[.]com
  • frosculandra1975@protonmail[.]com
  • trafyralhi1988@protonmail[.]com
  • sanctornopul1986@protonmail[.]com
  • ringpawslanin1984@protonmail[.]com
  • liebupneoplan19@protonmail[.]com
  • stivobemun1979@protonmail[.]com
  • guifullcharti1970@protonmail[.]com
  • phrasitliter1981@protonmail[.]com
  • elsleepamlen1988@protonmail[.]com
  • southbvilolor1973@protonmail[.]com
  • glocadboysun1978@protonmail[.]com
  • carbedispgret1983@protonmail[.]com
  • listun@protonmail[.]com
  • mirtum@protonmail[.]com
  • maxgary777@protonmail[.]com
  • ranosfinger@protonmail[.]com
  • bootsdurslecne1976@protonmail[.]com
  • rinmayturly1972@protonmail[.]com
  • niggchiphoter1974@protonmail[.]com
  • lebssickronne1982@protonmail[.]com
  • daybayriki1970@protonmail[.]com

MD5

  • 196b1e6992650c003f550404f6b1109f

SHA1

  • 6b1213966652f31cc333d9f1db64cb520c2256ec

SHA256

  • 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
  • 50b3ffd4f5b5ca722b42b8ef3bd93e31afeb9c959a1fea4ab2ba82f9a8a0692f

SSDEEP

  • 384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr

Files Dropped

  • C:\conti_readme[.]txt
  • C:\documents and settings\conti_readme[.]txt
  • C:\far2\addons\colors\conti_readme[.]txt
  • C:\far2\addons\conti_readme[.]txt
  • C:\far2\conti_readme[.]txt
  • D:\conti_readme[.]txt
  • <REM_DRIVE>:\1189[.]jpeg
  • <REM_DRIVE>:\1189[.]jpeg[.]conti
  • <REM_DRIVE>:\1189[.]jpg
  • <REM_DRIVE>:\1189[.]jpg[.]conti

Processes Created

  • <PATH_SAMPLE[.]EXE>
  • %WINDIR%\syswow64\cmd[.]exe
  • <SYSTEM32>\conhost[.]exe
  • %WINDIR%\syswow64\vssadmin[.]exe
  • <SYSTEM32>\vssvc[.]exe

IP Addresses

  • 162.244.80[.]235
  • 85.93.88[.]165
  • 185.141.63[.]120
  • 82.118.21[.]1

Vulnerabilities

How to Safeguard Against CONTI?

Staying safe from data breaches is possible with the proper knowledge, practices, and reliable solutions. Prevent initial access at any costs. Following are basic mitigations:

  • An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTP
  • They are patching your OS (Operating System), software, and firmware as soon as manufacturers make essential updates.
  • Proper segregation and isolation of internal networks.
  • To network systems and accounts, be sure to update passwords regularly. An effective password policy that addresses password complexity and password rotation are vital.
  • Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
  • Deactivate any ports that aren't used for remote access/Remote Desktop Protocol (RDP).
  • Proper system monitoring pipeline for better logging capability, including Powershell, Jscript, etc.
  • Employee education is equally important: avoid using the same password for multiple accounts and multiple-factor authentication.
  • Cybersecurity education is vital. The best means of preventing such incidents is through cybersecurity education.
  • Suspicious emails should be avoided.
  • Please do not open attachments or click on links if you receive such an email.
  • Double-check that an email is legitimate, especially if it urges you to make a financial transaction.
  • Effective and redundant fail-proof backup plans.
  • Use multi-factor authentication whenever possible.

How To Detect Ongoing Ransomware Attacks?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
I am an experienced and CEH certified cybersecurity professional with expertise in incident response, forensic investigations, cyber threat intelligence, vulnerability mgmt. and cyber threat research.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.