Conti ransomware was busy in 2020. In May 2021, the FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks as well as the Irish health service. Unfortunately, an increase in Conti ransomware attacks was also observed here in Taiwan. Fortunately, we were able to acquire samples of Conti ransomware and perform analyses.
Conti Ransomware was first observed in December 2019 and has been primarily targeting corporate networks since.
Financial Institutions
Education
Private Organizations
Government Agencies
Healthcare
Small-Sized Enterprises
Medium-Sized Enterprises
However, perhaps Conti’s most interesting aspect is its similar code snippets, Trickbot distribution, and overlapped infrastructure with Ryuk ransomware, which has some analysts regarding Conti as the successor for Ryuk. Indeed, the number of similarities, combined with the decrease in the use of Ryuk while the use of Conti increases, has some analysts speculating that both Ryuk and Conti share members of the same development/distribution team.
Last year, during a post-breach Incident Response (DFIR) investigation, CyCraft observed and analyzed the effects of a Conti ransomware attack.
CyCraft Research utilized both manual and automatic tools, as well as open-source tools, to perform semi-autonomous analyses of the encountered Conti Ransomware and its obfuscation techniques.
While our MDR systems can automatically collect behavior activities, manual reverse engineering is sometimes necessary to complement or to verify the monitored behavior activities. In order to improve the performance of manual reverse engineering, several semi-auto mechanisms were implemented.
In our report, we go through each of the more intriguing obfuscation techniques we observed in more granular detail, including:
Instrumentation
API Unhooking
Junk Code Inserted
API Resolving By Name Hash
Strings Obfuscation
One of the trends we have seen with Conti ransomware attacks is the use of double extortion. The threat actor behind this Conti-focused attack not only used encryption for extortion but also threatened to release the victims’ data via a data leak site as part of their extortion strategy — most likely to coerce the victims into paying the ransom faster.
Conti ransomware also provided its handler backdoor utility for manual operation — a key feature of Conti and often suggests a highly sophisticated, targeted operation, which not only closely resembles an APT attack but also suggests that the attackers at the helm spent the due diligence on performing detailed reconnaissance prior to launching the attack.
Manual operation of ransomware allows for the attackers to configure the ransomware according to the situation and launch when the largest number of endpoints could be compromised.
In this incident, basic information about the malware we observed in the wild is listed below.
filename: wwarc64.dll
md5: eb3fbab995fe3d4c57d4859f1268876c
sha1: 68fe03eb79f5813dccb006699dd1f468b32a4d9e
sha256: 5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
filetype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows
pdb_path: A:\source\conti_v3\x64\Release\cryptor_dll.pdb
.4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp,
.arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad,
.dadiagrams, .daschema, .db,.db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv,
.dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco,
.ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4,
.fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw,
.jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav,
.mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4,
.nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm,
.pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb,
.sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps,
.trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld,
.xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut,
.maw, .mdn, .mdt
Files with the following extensions will use different encryption algorithms.
.vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol,
.bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso
If the path contains the following string (ignorecase), it will be ignored.
tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information,
Boot, Windows, Trend Micro
.exe, .dll, .lnk, .sys, .msi, readme.txt, CONTI_LOG.txt
Shadowcopy Deletion. The Conti ransomware we observed had an extremely busy and loud methodology for stopping services and inhibiting recovery on the local system. While many ransomware families will simply delete the Windows Volume Shadow Copies using vssadmin, the Conti we observed used vssadmin in unique ways to ensure their deletion, as shown below.
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
This newer version of Conti used WMIC to enumerate and delete shadow copy.
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.