What you need to know about “paying ransom and not recovering” Conti Ransomware

The Conti ransomware group does not help victims recover encrypted files and is more likely to result in data breaches.
ⓒ Getty Images Bank

Conti has been one of the most aggressive ransomware in the past two years, continuing to attack many large corporations, governments, law enforcement and healthcare organizations. Security researchers warn that while ransomware groups usually care about reputation, Conti doesn’t always live up to its promises with victims.

Researchers at Palo Alto Networks said in an analysis report: “In general, successful ransomware operators go to great lengths to secure and maintain some degree of ‘authenticity’ in a way that facilitates ransom payments from victims. Ransomware attackers try to build trust with ‘customer service’ and pay a ransom to fulfill their promise to decrypt encrypted files and not appear on compromised websites. “But from our experience helping businesses tackle ransomware attacks so far, Conti doesn’t care about the reputation of its victims.”

Conti, which first appeared at the end of 2019, has gradually grown to become one of the major ransomware-as-a-service (RaaS). The group is believed to be related to the Ryuk ransomware run by a Russian cybercriminal group known as Wizard Spider. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said in their latest alert that they observed the use of Conti ransomware in more than 400 attacks on US and international organizations. According to Cybercrime intelligence firm Recorded Future, Conti was the second most victimized ransomware variant after LockBit in September 2021.

Also, Conti operates a little differently from other RaaS groups. While most groups work with partners called affiliates to hack victims and get a percentage of ransom payments, Conti is known to pay developers monthly.


How Conti gets initial network access

An attacker using Conti uses a variety of methods to gain access to the corporate network, including purchasing access from other groups that already have such access, so-called network access brokers. Like Ryuk, the Conti operator used the TrickBot malware to gain access, while also using other Trojans such as IcedID. These Trojans are typically distributed via spear-phishing emails containing malicious links or Microsoft Word attachments.

Stolen or vulnerable Remote Desktop Protocol (RDP) credentials are a common way for Conti and all ransomware groups to break into their networks. According to the CISA and FBI, these groups exploit vulnerabilities in search engine optimization, malware distribution networks such as ZLoader, and external IT assets. A Sophos investigation observed exploits of FortiGate firewall appliances running vulnerable firmware in an intrusion that deployed Conti.


How Conti moves laterally

Once inside the enterprise, attackers use a variety of tools to map networks and extend access. Using the Cobalt Strike attack framework and a penetration-testing tool called Router Scan, the researchers found that they search for web administration credentials on routers, cameras, and network attached storage (NAS) and perform brute-force attacks. .

The attacker also launches a Kerberos attack to obtain the administrator hash and perform a brute-force attack. Many attack groups, including Conti, use tools such as Windows Sysinternal or Mimikatz to obtain hashed and plaintext user credentials that allow elevation of privilege and lateral movement within a domain.

In addition, Conti Affiliates are SMB Servers (including EternalBiue) for Windows Printer Spooler Service, PrintNightmare (CVE-2021-34527) or ZeroLogon (CVE-2020-) for Microsoft Active Directory Domain Control System. 1472) has been observed to exploit well-known Windows vulnerabilities in networks such as


How Conti encrypts files and deletes backups

Conti attackers do not distribute the ransomware directly, but instead rely on lightweight loaders that can evade antivirus detection. The attack group used Cobalt Strike and Meterpreter (Meterpreter) porting and a loader called getuid to inject the ransomware directly into memory.

Because reflective loaders deliver ransomware payloads directly to memory and do not write ransomware binaries to the infected computer’s file system, attackers have eliminated a critical weakness affecting most other ransomware families. Sophos researchers said in an analysis report earlier this year that “there is no trace of ransomware that malware analysts can find and investigate.”

The ransomware also obfuscates strings and Windows API calls by using hash values ​​instead of API functions and adding another layer of encryption on top of them. All of this is to make both automatic detection by security programs and manual reverse engineering difficult.

Another interesting thing about Conti Ransomware is that it supports a command-line execution parameter that instructs it to encrypt a list of network shares defined on the local disk, a specific network share, or a file. “A noteworthy effect of this feature is that it can disrupt incident response activities and compromise targets in the system environment,” the VMware researchers report in the report. No evidence of similar destruction can be found in the environment. This also has the effect of reducing the overall ‘noise’ of ransomware. Instead, users may not be aware of the encryption for days or weeks after they have access to the data.”

Conti uses the AES-256 algorithm to encrypt files with a public key hard-coded into the ransomware program. Each binary is crafted specifically for each victim so that the victim has a unique key pair. The program can also encrypt files even if the program cannot connect to the C&C server.

The Conti attackers also put a lot of effort into complicating restoration efforts. The malware begins by disabling and deleting copies of Windows Volume Shadow. Acronis VSS Provider, Enterprise Client Service, SQLsafe Backup Service, Veeam Backup Catalog Data Service, Acronis Agent, etc. It repeats about 160 commands to disable some Windows system services and various Windows system services connected to third-party backup solutions, including:


Data breach for double extortion

According to a report from security firm AdvIntel, Conti could not only delete backups, but also use a backup service to extract data and later intimidate victims with data breach threats. “Conti finds users and services with Beam privileges and accesses, leaks, removes and encrypts backups so that ransomware breaches cannot be backed up,” the company’s researchers said. In this way, Conti exfiltrates the data to further intimidate the victim, while at the same time removing the backup so that the victim does not have a chance to recover their files quickly.”

Conti attackers have also been frequently observed using the Rclone open-source utility to upload company data to cloud-based file hosting services such as Mega.

Like most ransomware groups these days, Conti maintains and maintains a data breach website that posts information about new victims. The group was annoyed that recent ransom negotiations with victims were leaking to journalists. This is because such negotiations are usually conducted through a victim-specific ‘payment site’ set by the attacker included in the ransom note left to the victim. Once the ransom note is uploaded to a service like VirusTotal, malware researchers can find a payment site and tacitly see victim-to-group communications there.

In a recent blog post, the attack group threatened to disclose the data of the victims being negotiated if chats were leaked during negotiations. This happened after the group recently hacked into Japanese electronics maker JVCKenwood. “For example, yesterday we discovered that a conversation with JVC Kenwood we attacked a week ago was reported by reporters,” the group said. Despite reports, negotiations were proceeding normally. However, since it was disclosed during the negotiations, it was decided to end the negotiations and make the data public. JVC Kenwood has already been notified. In addition, we recently found screenshots of our negotiating conversations floating around on social media.”

The criminal group also warned that even if a victim’s files were deleted after the ransom was paid, the data stolen from other victims would be disclosed in the form of collective punishment if the contents of the negotiations were leaked.


How to mitigate continuity attacks

The FBI and CISA joint recommendations include: ▲Use multiple authentication for accounts ▲Implement network segmentation and traffic filtering ▲Scan for software vulnerabilities and keep software products up to date ▲Remove unnecessary applications and enforce execution restrictions and controls ▲Restrict remote access such as RDP ▲Network These include restricting access to resources through

This recommendation also includes a link to the Conti Indicators of Compromise (IOC) list, and the techniques and procedures used by the Conti attack group are described in the MITER ATT&CK framework. [email protected]


Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!