Conti Ransomware
In this article, we will discuss Conti Ransomware in detail. We’ll present our analysis results and the tactics, techniques, and procedures (TTP). Let’s look at some interesting facts about vulnerabilities explored in the Conti Ransomware attack.
Introduction
The Conti is a ransomware-as-a-service (RaaS) operation believed to be controlled by a cybercrime group in Russia called WizardSpider. The ransomware shares some code with the infamous Ryuk Ransomware, which was last reported in July 2020. The Conti ransomware gains initial access to the network through malicious attachments and links, encrypts data, and spreads to other systems exceptionally quickly, which makes it a very dangerous malicious actor. Cybercriminals typically launch Conti ransomware attacks by stealing files, encrypting servers and workstations, and demanding a ransom payment. Conti was considered one of the most successful ransomware gangs of 2021 and continues to be one of the most prolific ransomware gangs today, especially since REvil members were arrested at the beginning of 2022. According to the Ransomware project, Conti is a highly prolific threat actor managing to obtain more than $50 Million.
HISTORY
Since 2020, Conti has been making headlines consistently. A joint advisory was issued by the Cybersecurity Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) to the organizations about the malicious threat posed by the ransomware group and the vulnerabilities it exploits. According to the advisory FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks, Conti ransomware has been used in more than 400 attacks against U.S. and international organizations. A typical Conti ransomware attack involves malicious cyber actors stealing files, encrypting servers and workstations, and demanding ransom payments to access those files.
According to the advisory, CISA, FBI, and the National Security Agency (NSA) recommend implementing mitigation measures such as multifactor authentication (MFA), network segmentation, and updating operating systems & software to mitigate the Conti ransomware.
Conti continues his prolific track record in 2022, with four attacks reported within the first two months of the New Year. The following are a few recent incidents involving the Conti group.
Ransomware Attack Incident | Time Period |
Sector | Conti Demands |
Meyer Corporation | October 25, 2021 –
February 18, 2022 |
Distribution | – |
Kenyon Produce Snacks | February 02, 2022 | Foods and Beverages | – |
Delta Electronics | January 21, 2022 | Manufacturing | $15 Million ransom |
RR Donnelley | January 15, 2022 | Marketing Agency | 2.5 GB of data stolen |
Recently Conti pledged loyalty to the government of Russia
During the Russia – Ukraine War in 2022, the Conti ransomware gang pledged its allegiance to the Russian government. It warned of performing retaliatory attacks on the critical infrastructure of any nation that opposed the war-planned cyberattacks against Russia.
Tactics, Techniques, and Procedures
The group is using phishing attacks within the organization to install the TrickBot, IcedID, Cobalt Strike, and BazarLoader trojans to gain remote access to the compromised machines. Conti actors exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. According to our analysis of multiple malicious attacks involving the Conti ransomware, we believe the following attack vector is their overall strategy:
Initial Access:
- Phishing and Spear-Phishing Campaigns
- Exploit Vulnerable External Assets like Firewalls
- Internet-facing RDP (Remote Desktop Protocol) Servers
Execution:
- Scan the internal Servers, endpoints, backups, sensitive data
- Gather Live IP addresses and Ports by using popular port scanners like ‘Angry IP Scanner,’ ‘Advanced Port Scanner,’ or RouterScan to compile a list of IP addresses.
Persistence
- Used RDP and remote monitoring software to maintain persistence.
- Install Backdoors like BazarLoader and create processes and registry entries to maintain persistence.
Privilege Escalation:
- Use tools like Mimikatz to escalate the privileges and gain Domain administrator privileges or equivalent
Defense Evasion
- Disable security measures so that they may move laterally around the network without being noticed
Credential Access
- Dump Credentials using popular post-exploitation tools like Mimikatz, Windows SysInternals, etc.
Lateral Movement
- Use RCE (remote code execution) vulnerability to distribute to all servers identified.
- Inject in Logon scripts and Batch scripts to loop over the list of IP addresses to deploy the code to as many servers as possible in GPO for whenever the computer starts up and joins the domain
Command and Control
- Used four Cobalt Strike server Internet Protocol (IP) addresses used by Conti for communication with their C2 server
Exfiltration
- Exfiltrate as much data as possible in a variety of methods. The files can be saved on their server, transmitted through email, or uploaded to one or more anonymous cloud storage containers.
- Used the Rclone tool for data exfiltration
CONTI TTP – MITRE ATT&CK Mapping
According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix.
CONTI TTP – MITRE ATT&CK MAPPING
According to CISA, the following is the mapping of Conti TTP with Mitre Att&ck Matrix:
Table 2: Conti ATT&CK techniques for enterprise |
How does Conti Work?
When executed, it will encrypt files and change their file extension [.]ODMUA. It will leave a ransom note in the form of a text file named “readme.txt.”
Indicators of Compromise
Domains
badiwaw[.]com balacif[.]com barovur[.]com basisem[.]com bimafu[.]com bujoke[.]com buloxo[.]com bumoyez[.]com bupula[.]com cajeti[.]com cilomum[.]com codasal[.]com comecal[.]com dawasab[.]com derotin[.]com dihata[.]com dirupun[.]com dohigu[.]com dubacaj[.]com fecotis[.]com |
fipoleb[.]com fofudir[.]com fulujam[.]com ganobaz[.]com gerepa[.]com gucunug[.]com guvafe[.]com hakakor[.]com hejalij[.]com hepide[.]com hesovaw[.]com hewecas[.]com hidusi[.]com hireja[.]com hoguyum[.]com jecubat[.]com jegufe[.]com joxinu[.]com kelowuh[.]com kidukes[.]com |
kipitep[.]com kirute[.]com kogasiv[.]com kozoheh[.]com kuxizi[.]com kuyeguh[.]com lipozi[.]com lujecuk[.]com masaxoc[.]com mebonux[.]com mihojip[.]com modasum[.]com moduwoj[.]com movufa[.]com nagahox[.]com nawusem[.]com nerapo[.]com newiro[.]com paxobuy[.]com pazovet[.]com |
pihafi[.]com pilagop[.]com pipipub[.]com pofifa[.]com radezig[.]com raferif[.]com ragojel[.]com rexagi[.]com rimurik[.]com rinutov[.]com rusoti[.]com sazoya[.]com sidevot[.]com solobiv[.]com sufebul[.]com suhuhow[.]com sujaxa[.]com tafobi[.]com tepiwo[.]com tifiru[.]com |
tiyuzub[.]com tubaho[.]com vafici[.]com vegubu[.]com vigave[.]com vipeced[.]com vizosi[.]com vojefe[.]com vonavu[.]com wezeriw[.]com wideri[.]com wudepen[.]com wuluxo[.]com wuvehus[.]com wuvici[.]com wuvidi[.]com xegogiv[.]com xekezix[.]com |
Encrypted Files Extension
- [.]CONTI
Ransom Demand Message
- CONTI_README[.]txt
Cyber Criminal Contact
- mantiticvi1976@protonmail[.]com
- fahydremu1981@protonmail[.]com
- frosculandra1975@protonmail[.]com
- trafyralhi1988@protonmail[.]com
- sanctornopul1986@protonmail[.]com
- ringpawslanin1984@protonmail[.]com
- liebupneoplan19@protonmail[.]com
- stivobemun1979@protonmail[.]com
- guifullcharti1970@protonmail[.]com
- phrasitliter1981@protonmail[.]com
- elsleepamlen1988@protonmail[.]com
- southbvilolor1973@protonmail[.]com
- glocadboysun1978@protonmail[.]com
- carbedispgret1983@protonmail[.]com
- listun@protonmail[.]com
- mirtum@protonmail[.]com
- maxgary777@protonmail[.]com
- ranosfinger@protonmail[.]com
- bootsdurslecne1976@protonmail[.]com
- rinmayturly1972@protonmail[.]com
- niggchiphoter1974@protonmail[.]com
- lebssickronne1982@protonmail[.]com
- daybayriki1970@protonmail[.]com
MD5
- 196b1e6992650c003f550404f6b1109f
SHA1
- 6b1213966652f31cc333d9f1db64cb520c2256ec
SHA256
- 844cc2551f8bbfd505800bd3d135d93064600a55c45894f89f80b81fea3b0fa1
- 50b3ffd4f5b5ca722b42b8ef3bd93e31afeb9c959a1fea4ab2ba82f9a8a0692f
SSDEEP
- 384:yRcf5+y19sfna80LQiwvoh2fTuMl2t+JCeAxaBtmFU7qFFdjSfwaqkSTepQJb49Q:KcB+hClQ3vTLuMl2toIaCFIvROr
Files Dropped
- C:\conti_readme[.]txt
- C:\documents and settings\conti_readme[.]txt
- C:\far2\addons\colors\conti_readme[.]txt
- C:\far2\addons\conti_readme[.]txt
- C:\far2\conti_readme[.]txt
- D:\conti_readme[.]txt
- <REM_DRIVE>:\1189[.]jpeg
- <REM_DRIVE>:\1189[.]jpeg[.]conti
- <REM_DRIVE>:\1189[.]jpg
- <REM_DRIVE>:\1189[.]jpg[.]conti
Processes Created
- <PATH_SAMPLE[.]EXE>
- %WINDIR%\syswow64\cmd[.]exe
- <SYSTEM32>\conhost[.]exe
- %WINDIR%\syswow64\vssadmin[.]exe
- <SYSTEM32>\vssvc[.]exe
IP Addresses
- 162.244.80[.]235
- 85.93.88[.]165
- 185.141.63[.]120
- 82.118.21[.]1
Vulnerabilities
- 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities
- “PrintNightmare” vulnerability (CVE-2021-34527) in Windows Print spooler service
- “Zerologon” vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller systems
How to Safeguard Against CONTI?
Staying safe from data breaches is possible with the proper knowledge, practices, and reliable solutions. Prevent initial access at any costs. Following are basic mitigations:
- An efficient and effective Threat Intelligence pipeline to stay updated about adversarial TTP
- They are patching your OS (Operating System), software, and firmware as soon as manufacturers make essential updates.
- Proper segregation and isolation of internal networks.
- To network systems and accounts, be sure to update passwords regularly. An effective password policy that addresses password complexity and password rotation are vital.
- Deploy properly configured NGFW/IDPS/XDR/EDR systems to monitor and thwart malicious activities.
- Deactivate any ports that aren’t used for remote access/Remote Desktop Protocol (RDP).
- Proper system monitoring pipeline for better logging capability, including Powershell, Jscript, etc.
- Employee education is equally important: avoid using the same password for multiple accounts and multiple-factor authentication.
- Cybersecurity education is vital. The best means of preventing such incidents is through cybersecurity education.
- Suspicious emails should be avoided.
- Please do not open attachments or click on links if you receive such an email.
- Double-check that an email is legitimate, especially if it urges you to make a financial transaction.
- Effective and redundant fail-proof backup plans.
- Use multi-factor authentication whenever possible.
How To Detect Ongoing Ransomware Attacks?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).