Cross Section of the Conti Ransomware Attack and its TTPs

Cross Section of the Conti Ransomware Attack and its TTPs

The first mention of Conti ransomware is from May 2020. It is characterized by its rapid spread to systems and file encryption. Moreover, it is a human-controlled ransomware whose use a double-extortion tactic. In addition to requiring a ransom for the decryption key, attackers publish a small sample of the stolen data and, if the entire ransom is not paid, threaten to publish all the data.

 

Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.

 

How to Deal With Conti Ransomware?

It is very easy to find out that you were infected with Conti ransomware. After it is executed, the files are encrypted. Their extensions are changed to .CONTI, also possible is .ODMUA. A text file called “readme.txt” or “CONTI_README.txt” is also created, which contains an information message with a step-by-step guideline for the victim.

Here follow recommended steps:

Initial Attack Containment

The first step is to determine if the attack is still ongoing. If so, infected devices must be isolated from the rest of the network. The easiest way is to disconnect the network cable or turn off Wi-Fi. Disconnecting a device will stop the spread of ransomware on other devices. To do this, you must identify all affected endpoints, servers, and operating systems. It is also necessary to check the functionality and existence of backups. The attacker could also modify them. It is recommended to use other than normal communication channels to communicate about the situation. Attackers often continue to monitor the situation in the system after the ransomware is launched.

Investigation

After the containment phase of the attack, its vector must be determined. You need to define the cause to avoid repeated attacks in the future. When you are dealing with Conti ransomware attacks, the following activity is expected:

In general, attackers can be in your network for a long time. It can take days or weeks. They try to find out all possible available information that can help them in the attack. These can be, for example, the security settings of your network. With administrator privileges, attackers can very easily turn off some of them, for example Windows Defender settings.

How Does Conti Ransomware Operate?

One of the scenarios of the Conti ransomware distribution begins by sending a phishing email. The sender, as usual, appears to be a trusted person. The email contains a URL that points to a document. Possible initial access methods could also include vulnerable firewalls, exposed RDP services or exploiting a software security vulnerability. When downloading the document, the victim also downloads the Bazaar backdoor malware, which connects the victim’s device and Conti’s command-and-control server. There are different ways to deploy ransomware. Very often, the attackers use Microsoft PsExec. Attackers know many administrators use it to remotely execute commands on devices.

The goal of the attackers is to access the administrator accounts, from where they are able to launch the ransomware. However, they also look for accounts that may contain sensitive data, system backups, and similar valuable information. So, they use tools like Mimikatz, which can capture information from the LSASS.exe file. This way, they can access the currently logged in users and their passwords.

The specificity of Conti ransomware is to obtain as much of your data as it is possible. The largest exfiltrations are mostly automated. The attackers use the data to blackmail the victims and after non-payment of the ransom, they will either publish them or sell them to other attackers. Thanks to this data, they can launch further attacks on the victims. From the data obtained, they can use, for example, strings, to find access to various accounts and services, credit card numbers, and other sensitive personal data.

Tactics, Techniques, and Procedures

Conti ransomware utilizes different techniques to fulfill attacker’s objectives, such as:

  • using CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk.
  • utilizing a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim
  • using “Windows Restart Manager” to ensure files are unlocked and open for encryption
  • deleting Windows Volume Shadow Copies using vssadmin
  • enumerating remote open SMB network shares using NetShareEnum()
  • encrypting DLLs and used obfuscation to hide Windows API calls
  • enumerating through all open processes and searching for any that have the string “sql” in their process name
  • spreading via SMB and encrypting files on different hosts, potentially compromising an entire network
  • stopping up to 146 Windows services related to security, email, database, and backup solutions through the use of net stop
  • retrieving the ARP cache from the local system by using the GetIpNetTable() API call and checking to ensure IP addresses it connects to are for local, non-Internet, systems
  • enumerating routine network connections from a compromised host
  • spreading itself by infecting other remote machines via network shared drives

 

References

What to expect when you’ve been hit with Conti ransomware

MITRE ATT&CK