Carrying on from our recent work on Prometheus Ransomware, we have new thoughts and intelligence to share on Conti Ransomware. However, considering the current climate and chatter across the global cyber landscape, we thought it best to also discuss how enterprises today should approach best practices regarding protection against ransomware.
Part I — Conti Ransomware Case Study
Part II — Brief Analysis of Conti Ransomware
Part III — Best Practices for Enterprises Today
When our post-breach Digital Forensic Incident Response (DFIR) investigation began, several domain controllers (DC) had already been compromised; a large amount of data had also been encrypted and exfiltrated as well.
Our investigation was further complicated due to an affected DC being reinstalled unexpectedly as well as the active directory (AD) not being directly managed by the customer but through a 3rd party IT service provider.
This campaign consisted of two main waves of attacks.
As soon as we began our investigation, we immediately detected an oci.dll backdoor on an endpoint. It was still active.
The oci.dll functioned as a CobaltStrike Beacon. It’s very common for threat actors to leverage msdtc.exe to side-load a malign dll (such as oce.dll) in order to evade detection and maintain persistence.
On the above dates in October, the attackers attempted to execute PSEXEC to conduct lateral movement and RAR for data compression.
The attackers executed PROCDUMP to dump the memory of lsass.exe, which contained Windows authentication information. Via offline brute-force, the attackers could have harvested credentials of high-privileged accounts.
On endpoint EP-5, the attackers used lpg.dll as the main backdoor. Later, the WMI and SCHTASKS were utilized for initiating a series of attacks and then laterally moving to other endpoints.
On the customer-controlled AD server, DC-1, several artifacts regarding lateral movement were found between the dates of 11/20 and 11/21. Malware was implanted to other 4 endpoints: EP-5, EP-4, EP-3, and EP-6.
Several files were remotely copied to endpoint EP-5 along with several logon activities from the compromised DC server.
Afterward, the malware connected back to C2, 173[.]234.155.85 (arcnew[.]com).
BeaconType — HTTPS
Port — 443
SleepTime — 5000
MaxGetSize — 1401323
Jitter — 10
MaxDNS — 235
PublicKey — b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<”\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
C2Server — arcnew.com,/us/ky/louisville/312-s-fourth-st.html
UserAgent — Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko)
HttpPostUri — /OrderEntryService.asmx/AddOrderLine
HttpGet_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://locations.smashburger.com/us/ky/louisville.html
Connection: close
Cookie
HttpPost_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Cookie
SpawnTo — b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
PipeName -
DNS_Idle — 8.8.8.8
DNS_Sleep — 0
SSH_Host — None
SSH_Port — None
SSH_Username — None
SSH_Password_Plaintext — None
SSH_Password_Pubkey — None
HttpGet_Verb — GET
HttpPost_Verb — POST
HttpPostChunk — 0
Spawnto_x86 — %windir%\syswow64\mstsc.exe
Spawnto_x64 — %windir%\sysnative\mstsc.exe
CryptoScheme — 0
Proxy_Config — None
Proxy_User — None
Proxy_Password — None
Proxy_Behavior — Use IE settings
Watermark — 0
bStageCleanup — True
bCFGCaution — True
KillDate — 0
bProcInject_StartRWX — True
bProcInject_UseRWX — False
bProcInject_MinAllocSize — 16700
ProcInject_PrependAppend_x86 — b’\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 — b’\x90\x90\x90'
Empty
ProcInject_Execute —
ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod — NtMapViewOfSection
bUsesCookies — True
HostHeader -
The second wave of attacks was launched in December, demonstrating the attackers’ persistence and sophistication.
C2 173.34.155[.]85 had been used in the first wave of attacks, connecting to endpoint EP-5; this C2 would be used again in the second wave of attacks. The second wave would be launched from one malicious file (rez64.dll) on DC-2.
The attack compromised AP-1 and utilized both WMIC and SCHTASKS to dump lsass processes on remote host EP-8. The corresponding process dump activities seen on EP-8 are listed below.
The attackers scheduled the ransomware to launch at midnight on 1 January 2021. In order to fully prevent this attack, we reversed the Conti ransomware variant and developed a digital vaccine against Conti, increasing the victim’s resilience and preventing any further attacks of a similar nature on their system.
In addition, we observed that in the second wave of attacks in December, the attackers also exploited FortiGate VPNs. Cybersecurity researcher and active Windows screenshot enthusiast, PeterM, tweeted in January of the same discovery, suggesting that the threat actor behind these attacks had been abusing this technique across the globe. In August 2021, The Record reported leaked material regarding affiliate partners of Conti. After reviewing these documents, we found many similar or identical activities in our case.
While still relatively young in the ransomware game, Conti ransomware has proven to be quite advanced compared to other active ransomware today. We will now take a closer look into three aspects of Conti ransomware that highlight the severity of this threat: sped-up encryption, an increased number of encrypted files, and detection evasion techniques.
Increased strength of the encryption key
Prioritizes speed; leverages encryption algorithm ChaCha
Chooses different encryption methods according to the size of the targeted file
Multi-threaded encryption
Conti ransomware leverages ChaCha encryption, which is able to encrypt faster than other algorithms, such as AES. Before encrypting the targeted files, Conti ransomware will generate an independent encryption key for each file and use RSA to not only encrypt the key but also write it at the end of the file together with the targeted file’s original file size.
Encrypting larger files typically takes more time. Conti Ransomware’s solution to this is to adopt different encryption methods for files of different sizes and extensions. High-value targets will need to be completely encrypted; high-value targets could include database files, HR endpoints, Enterprise Resource Planning (ERP), or Manufacturing Execution Systems (MES). Files that are too large (such as disk images or files larger than 5MB) will only be partially encrypted.
Modern CPUs typically have multiple cores. In order to use computing resources more efficiently, Conti ransomware will typically use independent threads while searching for encryption targets and create the same number of threads as the number of CPU cores, thus allowing for the ransomware to use multiple cores to encrypt files simultaneously. This increased speed of encryption leads directly to the next problem.
Special unlock system to lock files
Find network drives
PortScan
Conti ransomware avoids noisy scans of a target environment by port scanning for previously (more commonly used) connected network segments from the ARP cache, locating more connected network drives for encryption, and ultimately encrypting more files. For Files exclusively owned by other applications, Conti ransomware will use Restart Manager to close running programs, allowing for even more files to become encrypted.
Turns off restore and antivirus programs
Program packing, coding
In order to reduce the probability of data being restored, Conti ransomware will use WMIC to delete shadow copies. The ransomware also utilizes a unique program obfuscation strategy. Each string in the program will be decrypted using a unique algorithm, and none of the import table contents will be hidden. While dynamically referencing an API, a variant of MurmurHash will be used to locate the API, making static features challenging to observe.
eb3fbab995fe3d4c57d4859f1268876c
68fe03eb79f5813dccb006699dd1f468b32a4d9e
5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
0a31b41b97eec43f1fa2f477dc881b35
67310359595875992eec3f7cde96fd126e5a0f56
ab46cd9c8281c665c2400a14ead3a49eb3068b4871ef4b86513a009b20c28e0d
2588c7551246da0049be325015480ee5
10fd36feae808a3a8c7375611c0099a9a75044ab
7c8868721c86228a3567ebe77460445e1a812270180bcf5a5020a86afa0ff708
2a084ac8d6f8ce3c0f088e594dd9344a
b4ca2e13aace6b79b91aa92f2ce6630418a9e598
0a65dcccffb00c2874041401c137d13624ad470fc3980dfba16c282155adf40d
f971660ac1331a37cbbfa68ab3aedb76
36537644eca6bb6ab9e83a5fd5b68ae7
76B6C7BFA9CDF229E858FBBB2306ADB5
0A31B41B97EEC43F1FA2F477DC881B35
6E0AF9590C71328A7197377EA5CCB23B
4385E56300890FFDE03A8F553A6B07C1
IoC | Type
173[.]234.155.85 | C2 IP
arcnew[.]com | C2 Domain
74[.]118.138.144 | C2 IP
For a further granular forensic breakdown of Conti ransomware, its obfuscation techniques, execution flow, encryption scheme, as well as the observed attacks, read our report on Conti Ransomware in Taiwan.
Security is no longer the sole responsibility of one department or one person; it requires effort and diligence from everyone. Even opening one malicious file/link from one email could give multiple attackers and threat groups access to your system.
Organizations no longer face lone hackers — or even hacker groups — but face the collaborative efforts of a thriving underground economy of script kiddies, ransomware gangs, nation-states, access brokers, cryptocurrency launderers, zero-day brokers, and more.
Here is a quick, actionable list of best practices to aid you in increasing your cyber resilience against ransomware attacks.
Don’t do it. Paying the ransom does not guarantee access to a working decryption key, nor does it guarantee the attackers won’t just launch yet another ransomware attack on you or releasing your exfiltrated data out into the open.
Although the cybersecurity community strongly disapproves of ransom payment, some leadership do choose to go this route. Targeted ransomware attacks typically do a lot of reconnaissance prior to launching their attack and could ask anywhere from 5 to 15 percent of your annual income. Often, the support team (collections team) for the attackers will recommend the services of a negotiator that they’ve worked with in the past to help represent you.
While some cyber insurance policies cover ransomware payments, this can easily backfire for organizations as it can encourage targeted ransomware attacks as the attackers know their target will pay the ransom.
One of the founding members of REvil, known as Unknown, was asked in a recent interview if REvil targets organizations that have cyber insurance.
“Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
However, the tide is changing. AXA, a French insurance company, stated they would no longer cover ransomware payments. In addition, now, in the aftermath of the SolarWinds incident, the U.S. has begun heavily investing in cybersecurity and ransomware prevention with stricter laws requiring companies hit with ransomware to report to the government immediately.
While a zero-trust environment with limited and restricted user access helps prevent many attacks, preventive solutions (such as NGAV, firewalls, of threat intelligence gateways) do inevitably fail.
Some cybersecurity vendors use a metric known as “breakout time” (or however they wish to name it) which measures the time from the first initial access to the first lateral movement. The average breakout time for an attack is approximately 2 hours.
Only a mature endpoint detection and response system is capable of consistently preventing intrusions from escalating into business-altering incidents.
For more information regarding MDR and how to evaluate and choose an MDR provider, please refer to our CyCraft Classroom article: What is MDR?
Endpoint security solutions not only reduce MTTD (mean-time-to-detect) and MTTR (mean-time-to-respond) but also generate large amounts of telemetry data. APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.
Is your team experienced in fully restoring your entire environment from backups? If not, we strongly recommend routinely executing your data recovery plan.
Having backups has been standard operating procedure for decades; however, many organizations do not have rehearsed remediation protocols in place nor have real estimates (and not just wild speculations) on how long it would take to rebuild their networks from backups. Lacking a proper backup protocol defeats the purpose of having backups.
Blue Team drills should be a part of every SOC, and these drills should include full restoration of an environment from backups. Drills help locate procedural holes in your defense.
Ransomware typically searches for and encrypts files in network drives. In a few cases we’ve observed, the victim had non-isolated backups, which unfortunately allowed the attackers to encrypt the backups. In some cases, the backups were isolated/air-gapped; however, the digital key to decrypt the backups was located in the local file-sharing network that got encrypted by the ransomware. In one case, the backups and digital key were successfully air-gapped from the targeted network; however, they were located offsite hundreds of kilometers away, further adding major logistical difficulties for full remediation.
Ransomware attacks (especially the big game hunters) typically lurk in their target’s environment for quite some time prior to the launch of the ransomware attack. In order to maintain their foothold, these attackers tend to mask their entry vector and implant several backdoors.
Incident response investigations are never a one-and-done solution when it comes to ransomware. If your IR investigation fails to locate just one backdoor, your adversaries will only return in a matter of time. Therefore, a continuous IR solution with robust monitoring is needed to rapidly identify the root cause of attacks and root out each stealthy backdoor.
Maintaining a long-term monitoring defense after the initial IR investigation would reveal an adversary’s hidden backdoor before/when the attackers use it, thus revealing their initial access vector to the defenders.
A mature detection and response system is needed to reduce both MTTD (mean-time-to-detection) and MTTR (mean-time-to-respond), ensuring your organization remains resilient and healthy.
Writer: CyCraft
CyCraft(サイクラフト)は、AIによる自動化技術を専門とするサイバーセキュリティ企業。2017年に設立され、台湾に本社、日本とシンガポールに海外拠点を持つ。アジア太平洋地域の政府機関、警察・防衛機関、銀行、ハイテク製造業にサービスを提供している。CyCraft の AI技術 と機械学習技術によるソリューションが評価され、CID グループ とテマセク・ホールディングス旗下のパビリオンキャピタルから強力なサポートを獲得し、また、国際的トップ研究機構である Gartner、 IDC、Frost & Sullivan などから複数の項目において評価を受けている他、国内外の著名な賞をいくつも受賞している。また、国内外を含む複数のセキュリティコミュニティ、カンファレンスに参画し、長年にわたりセキュリティ業界の発展に尽力している。