Activities From Conti Ransomware Surges and Draws US Authorities’ Attention who Issues Fresh Alerts

How XDR Gives 360 Degree Protection For Cyber Security?

The Conti ransomware cybercrime syndicate, which attacked the Irish health services, seems to be very active recently. Following the surge, the US Cyber Security and Infrastructure Security Agency (CISA) have given fresh warnings to defenders worldwide.

What is Conti?

Conti is a cybercrime gang operating through a private Ransomware-as-a-Service (RaaS) model. It is believed that a Russian-based cybercrime group tracked as Wizard Spider is the one that controls this syndicate.

While we have witnessed numerous ransomware attacks, Conti stands out from the rest due to the variations in its typical affiliate model. Unlike many RaaS models that pay the deployers a certain percentage of the ransom from a successful attack, Conti is likely paying a fixed wage.

Another thing that makes Conti worrisome is that it is considered to be one of the most ruthless damaging groups currently in operation. You can imagine the damage with the fact that Ireland is yet to recover from the attack deployed by this group in mid-May that led to the entire nation’s healthcare IT network’s shutdown. They are always on a hunt to find new targets, including hospitals, emergency medical networks, and other organizations, and deploy ransomware. In fact, the FBI, until now, has associated this gang with 400+ cyber-attacks against organizations worldwide. Once the attack is successful, Conti demands a huge ransom, the average of which is $849,581.

How Does Conti Operate?

The gang usually starts by getting initial access to networks. This access [TA0001-MITRE tactic Initial Access] is gained through:

• Spear Phishing: One of the most standard ways to penetrate a system is through Spear Phishing campaigns. Conti creates tailored emails that induce the targeted people to download the attachments within the emails. These emails contain malicious Word attachments or links such as [T1566.001-MITRE technique Phishing: Attachments] or [T1566.002-MITRE technique Phishing: Links] or [T1566.003-MITRE technique Spearphishing via Service]. The attachments usually contain some embedded scripts that can trigger the download or drop of other malware into the systems. This malware, such as TrickBot and IcedID, and/or Cobalt Strike, helps with the lateral movement and finally deploy the Conti ransomware once the penetration is successful.
• Easy to crack, weak, stolen, or compromised Remote Desktop Protocol (RDP) credentials [T1078-MITRE technique Valid Accounts]
• Social Engineering techniques such as Phone Calls / Text Messages (SMS)
• Malicious or fake software promoted through SEO
• Malware distribution networks such as ZLoader
• Un-patch vulnerabilities in internal or external assets that can be exploited

Once they have the initial access, they look to execute [TA0002-MITRE tactic Execution] the Conti ransomware. This is done by running two payloads: first a getuid payload and then an aggressive payload. The idea behind this two-payload deployment is to minimize the chances of triggering anti-virus engines.

Further, the deployers use Router Scan, which is a pentesting tool. With the tool, they try to scan for and brute force [T1110-MITRE technique Brute Force] routers, CCTV cameras, or any IoT storage devices attached to the network via web interfaces.

Moreover, they also use Kerberos attacks [T1558.003-MITRE technique Kerberoasting] to make an attempt to get access to the Admin hash. With the Admin hash, they conduct brute force attacks.

To maintain the access [TA0003-MITRE tactic Persistence] and proceed with the lateral movement, they try to penetrate desktop software and remote monitoring and management software (RMM type of tools).

The deployers then, depending on the requirement, make use of available tools on the victim network and install additional tools. They use tools like Windows Sysinternals and Mimikatz and get users’ hashes and credentials. This information enables them to soar privileges [TA0004-MITRE tactic Privilege Escalation] to perform post-exploitation and lateral movement tasks [TA0008-MITRE tactic Lateral Movement]. The standard Windows vulnerabilities exploited for this include:

• PrintNightmare (CVE-2021-1675/CVE-2021-34527)
• ZeroLogon (CVE-2020-1472)
• EternalBlue (ms17_010)

The deployers might also use TrickBot malware for post-exploitation tasks in some cases.

How to detect a Conti attack with the help of EDR?

Security Analysts can leverage SharkStriker’s ORCA platform to detect and prevent the Conti Ransomware quickly:

1. As established earlier, Conti ransomware incapacitates Anti-Virus products and software on target systems for initial access. However, our ORCA platform can identify and trigger alerts for this activity based on the suspicious command-line parameters used. You can see this in the below screenshot, where the ORCA platform detects the same.

Businesses can also use the ORCA platform to create custom adversary behaviour detection rules based on their security standards and requirements, which can detect these types of activities. Given below is the EQL query that can hunt for any such suspicious behavior:

2. Detection for creation of a malicious file.

Analyzing the command line can help us conclude that the malicious file was created.

3. For instance, the below screenshot shows that a malicious file was executed along with other file details, such as its malware score and file name.

Execution Speed: Conti uses around 32 concurrent CPU threads for encrypting files. The switch from AES cipher to CHACHA algorithm post the iteration of September 2020 further speeds up the encryption. It reduces the time required to lock the victim’s data and the chances of blocking the operation.

Here’s the proof:

Process creation and termination time:

4. Additionally, we can also detect lateral movement by running a search query to identify SMB connections made by unusual processes.

data.win.eventdata.destinationPort: “445” and Not data.win.eventdata.image:”System”

In the above screenshot, we see that the same IPs are trying to connect to multiple destinations via the SMB port.

5. Our ORCA platform’s automated periodic VA assessment can also help check Windows vulnerabilities exploited by Conti for lateral movement:

• PrintNightmare (CVE-2021-1675/CVE-2021-34527)
• ZeroLogon (CVE-2020-1472)
• EternalBlue (CVE-2017-0144)

How to Prevent?

Some best practices to help prevent Conti ransomware attacks include:

• Leverage EDR tools such as our ORCA EDR platform to monitor suspicious activities.
• Use Multi-Factor Authentication.
• Filter network traffic and implement segmentation.
• Conduct periodic vulnerability assessments and keep all the software patched and updated.
• Remove applications and apply controls that are not required.
• Secure user accounts.
• Restrict RDP to limit access to resources over the network.
• Block Conti Cobalt Strike C2 at the network level: 162.244.80[.]235, 85.93.88[.]165, 185.141.63[.]120, 82.118.21[.]1
• Audit Active Directory Policy and users with elevated privileges to disrupt attackers.
• Audit internal password policy – NIST guidance on Active Directory password lockout policy is 10 attempts.