OVERVIEW
The Conti Ransomware group is a notorious and active ransomware gang that has successfully pulled multi-million dollar payments from victims and are one of (if not the) most successful ransomware organization currently in operation – known to have been targeting companies with more than $100 million in annual revenue. They have been observed to potentially be working in tandem/affiliation with the Russia-based cyber criminal group nicknamed Wizard Spider as well. First observed in 2020, the Conti Ransomware has since targeted infrastructure that potentially have life-threatening repercussions, for example when it crippled Ireland’s healthcare infrastructure and services in May of 2021 (demanding $20 million in ransom).
TARGETING
Since CONTI Ransomware is considered a Ransomware as a Service, targeting will depend on the actor utilizing the variant – however, it has been seen abused against healthcare and first responder infrastructure, law enforcement, and manufacturing. Since the actor is financially motivated, other organizations and companies could be targeted.
DELIVERY
Initial access has been observed to be achieved via social engineering (such as spear phishing emails), exploitation of vulnerabilities, as well as abuse of stolen credentials. Then first-stage malware is then installed onto the host systems, utilizing malware such as Trickbot, BazarLoader or Cobalt Strike.
INSTALLATION
Conti has been observed to run reconnaissance scans and laterally move within an environment utilizing Kereberos attacks (with tools like Mimikatz), as well as exploitation of vulnerabilities on unpatched machines. Privilege escalation is sought after during this process.
Before execution/deployment of the ransomware, Conti stops windows services in order to render the machine more vulnerable and deletes backup options. There is also the exfiltration of proprietary data via the Rclone program.
After deployment, Files are encrypted using AES-256.
PERSISTENCE
Persistence is achieved via file encryption and inhibition of defense and recovery tools (such as deletion of Windows Volume Shadow Copies).
COMMUNICATION
CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims.
THREAT UPDATE – 09 March 2022
Threat Summary
The Conti Ransomware group is a notorious and active ransomware gang that has successfully pulled multi-million dollar payments from victims and are one of (if not the) most successful ransomware organization currently in operation – known to have been targeting companies with more than $100 million in annual revenue. They have been observed to potentially be working in tandem/affiliation with the Russia-based cyber criminal group nicknamed Wizard Spider as well. First observed in 2020, the Conti Ransomware has since targeted infrastructure that potentially have life-threatening repercussions, for example when it crippled Ireland’s healthcare infrastructure and services in May of 2021 (demanding $20 million in ransom). More recently, the Conti Group have announced their support of Russia during their invasion of Ukraine, with threats to retaliate and “strike back” if Russia is attacked.
Conti ransomware is considered a ransomware-as-a-service, allowing affiliates paid access to launch attacks on their victims. Actors gain initial access usually by spear phishing campaigns with malicious attachments/links, purchased/obtained RDP credentials or potentially even known vulnerabilities on externally facing assets (among a few other methods). From there, they have been observed to install Trickbot and/or BazarLoader trojans on infected machines and begin the attack chain. They are also known to utilize the “Double extortion” strategy which encrypts the victim’s data, but will also exfiltrate large amounts of it as well – offering to decrypt the data if paid, but also threatening to release proprietary information obtained. Due to the active nature of the Conti Group in the Ukraine-Russia conflict, as well as the uptick of the ransomware against organizations worldwide, it is beneficial to be aware of this organization going forward.
Threat Synopsis
Since 2020, the Conti Ransomware has targeted numerous organizations, netting hundreds of millions of dollars via ransom payments and crippling infrastructures ranging from oil and transport companies to hospitals, emergency medical services, and law enforcement – they have been suspected of more than 400+ cyberattacks worldwide. The variant, considered as ransomware-as-a-service, employs TTPs that aren’t groundbreaking but are effective in nature. Typically utilizing “double extortion” by not only encrypting a victim’s machine, but also exfiltrating proprietary information – in order to offer decryption if demands are met, as well as threaten the release of what was exfiltrated.
Initial access has been observed to be achieved via social engineering (such as spear phishing emails), exploitation of vulnerabilities, as well as abuse of stolen credentials. The first-stage malware is then installed onto the host systems, utilizing malware such as Trickbot, BazarLoader or Cobalt Strike. Reconnaissance will then begin, utilizing tools such as “Router Scan” to scan/discover and brute force devices with web interfaces. Privilege Escalation has been observed to be attempted as well, utilizing Kerberos attacks with tools such as Mimikatz to steal admin and other user hashes. A leaked playbook concerning Conti mentioned that actors will try to exploit vulnerabilities on unpatched devices to privilege escalate and laterally move – examples being the PrintNightmare vulnerability and Zerologon.
Before deploying the ransomware, Conti has been observed to communicate with Cobalt Strike server IPs which are unique to the victim being attacked. Actors have been also seen using the open-source Rclone program for data exfiltration (and to fulfill one part of the “double extortion” strategy they employ). Stoppage of windows services related to security and backup, as well as deletion of Windows Volume Shadow Copies have been seen to impede system recovery efforts as well. After they have exfiltrated all of the data they are able to, the ransomware is deployed and all data is encrypted on local and associated network SMB drives – the ransom note is then dropped on each host, providing the usual ransom notice and TOR site utilized for further communications.
Further detail (most recently updated March 9, 2022) and IOCs associated can be found in the joint CSA alert, found here: https://www.cisa.gov/uscert/ncas/alerts/aa21-265a