Conti Ransomware in Taiwan

Conti ransomware was busy in 2020. In May 2021, the FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks as well as the Irish health service. Unfortunately, an increase in Conti ransomware attacks was also observed here in Taiwan. Fortunately, we were able to acquire samples of Conti ransomware and perform analyses.

‍

Conti Ransomware Background

Conti Ransomware was first observed in December 2019 and has been primarily targeting corporate networks since.

‍

Conti is reported to have targeted the following industries:

Financial Institutions
Education
Private Organizations
Government Agencies
Healthcare
Small-Sized Enterprises
Medium-Sized Enterprises

‍

Some of the more interesting aspects of Conti ransomware include:

• Its numerous features and functions not typically seen in other ransomware families
• Its ability to scan and encrypt files from a separate system
• Simultaneously using 32 threads to encrypt files quickly
• Its ability to stop over 140 Windows processes, including processes related to SQL databases
• Its ability to abuse Windows Restart Manager to cleanly close applications to ensure targeted files for encryption aren’t locked by said applications
• Deploying up to 277 different algorithms to encrypt different strings, using a unique symmetric encryption key per file, which is then itself encrypted using AES-256 with a bundled RSA-4096 public encryption key.

However, perhaps Conti’s most interesting aspect is its similar code snippets, Trickbot distribution, and overlapped infrastructure with Ryuk ransomware, which has some analysts regarding Conti as the successor for Ryuk. Indeed, the number of similarities, combined with the decrease in the use of Ryuk while the use of Conti increases, has some analysts speculating that both Ryuk and Conti share members of the same development/distribution team.

‍

Conti Ransomware in Taiwan

Last year, during a post-breach Incident Response (DFIR) investigation, CyCraft observed and analyzed the effects of a Conti ransomware attack.

‍

‍

CyCraft Research utilized both manual and automatic tools, as well as open-source tools, to perform semi-autonomous analyses of the encountered Conti Ransomware and its obfuscation techniques.

While our MDR systems can automatically collect behavior activities, manual reverse engineering is sometimes necessary to complement or to verify the monitored behavior activities. In order to improve the performance of manual reverse engineering, several semi-auto mechanisms were implemented.

In our report, we go through each of the more intriguing obfuscation techniques we observed in more granular detail, including:

Instrumentation
API Unhooking
Junk Code Inserted
API Resolving By Name Hash
Strings Obfuscation

‍

‍

Other Observed Tactics & Techniques

One of the trends we have seen with Conti ransomware attacks is the use of double extortion. The threat actor behind this Conti-focused attack not only used encryption for extortion but also threatened to release the victims’ data via a data leak site as part of their extortion strategy — most likely to coerce the victims into paying the ransom faster.

Conti ransomware also provided its handler backdoor utility for manual operation — a key feature of Conti and often suggests a highly sophisticated, targeted operation, which not only closely resembles an APT attack but also suggests that the attackers at the helm spent the due diligence on performing detailed reconnaissance prior to launching the attack.

Manual operation of ransomware allows for the attackers to configure the ransomware according to the situation and launch when the largest number of endpoints could be compromised.

‍

Basic File Information

In this incident, basic information about the malware we observed in the wild is listed below.

filename: wwarc64.dll
md5: eb3fbab995fe3d4c57d4859f1268876c
sha1: 68fe03eb79f5813dccb006699dd1f468b32a4d9e
sha256: 5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
filetype: PE32+ executable (DLL) (GUI) x86–64, for MS Windows
pdb_path: A:\source\conti_v3\x64\Release\cryptor_dll.pdb

‍

Extension List 1

.4dd, .4dl, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp,
.arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, 
.dadiagrams, .daschema, .db,.db-shm, .db-wal, .db3, .dbc, .dbf, .dbs, .dbt, .dbv,
.dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, 
.ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fp3, .fp4, 
.fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .ib, .idb, .ihx, .itdb, .itw,
.jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, 
.mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, 
.nsf, .nv, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, 
.pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb,
.sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .te, .temx, .tmd, .tps,
.trc, .trm, .udb, .udl, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld,
.xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .kdb, .lut,
.maw, .mdn, .mdt

‍

Extension List 2 (VM / disk image)

Files with the following extensions will use different encryption algorithms.

.vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvol,
.bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso

‍

Skip Path List

If the path contains the following string (ignorecase), it will be ignored.

tmp, winnt, temp, thumb, $Recycle.Bin, $RECYCLE.BIN, System Volume Information, 
Boot, Windows, Trend Micro

‍

Skip Name List

.exe, .dll, .lnk, .sys, .msi, readme.txt, CONTI_LOG.txt

‍

Differences With Carbon Black Case

Shadowcopy Deletion. The Conti ransomware we observed had an extremely busy and loud methodology for stopping services and inhibiting recovery on the local system. While many ransomware families will simply delete the Windows Volume Shadow Copies using vssadmin, the Conti we observed used vssadmin in unique ways to ensure their deletion, as shown below.

vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

This newer version of Conti used WMIC to enumerate and delete shadow copy.

‍

Recommended Mitigations

• Increase and maintain your capability of threat hunting and threat intelligence. While compromised endpoints cannot be avoided, threat hunting with up-to-date intelligence can expose attackers lurking in your environment before they launch a ransomware attack. Targeted ransomware attacks typically spend more time on recon, penetration, and persistence. Regular threat hunting increases your chances of disrupting the attack before the attackers initiate actions on their final objectives.

• Define and ready your strategy and playbook against ransomware. There is a strong likelihood that Ransomware will eventually land on some of your endpoints. Many response options to ransomware exist for defenders: routine backups, shutting down devices, hibernation, network isolation. Each one has benefits; one solution on its own is not enough. Lastly, estimate the impact on your business with leadership, ensure that you have consistent messaging across all departments, and perform red, blue, and purple team exercises as needed.

• Establish and maintain routine AD security. In our observations, ransomware families typically do not launch the ransomware in the early stages of the attack. Attackers tend to lurk and hunt in your environment. Upon harvesting the AD admin, they immediately start spreading ransomware to every device in your domain at once. Maintaining effective AD security is complicated and hard to manage. The earlier defenders establish playbooks, the earlier they can identify risks and holes in their defenses — both technological and operational.

‍