Conti is an extremely damaging ransomware due to the speed with which encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.
How the Conti Ransomware Works
The group is using phishing attacks in order to install the TrickBot and BazarLoader Trojans in order to obtain remote access to the infected machines.
The email used claims to come from a sender the victim trusts and uses a link to point the user to a maliciously loaded document. The document on Google Drive has a malicious payload, and once the document is downloaded a Bazaar backdoor malware connecting the victim’s device to Conti’s command-and-control server will be downloaded as well.
It is interesting to note that Conti utilizes a multithreading method in order to spread fast, making it tough to stop.
Conti ransomware can also spread via Server Message Block (SMB). This is actually how they are able to encrypt data on other machines in a network.
Now that it exists on the compromised machine, Conti encrypts data and then employs a two-step extortion scheme.
Double extortion ransomware, also known as pay-now-or-get-breached refers to a growing ransomware strategy and the way it works is that the attackers initially exfiltrate large quantities of private information, then encrypt the victim’s files. Once the encryption process is complete the attackers will threaten to make the data publicly available unless they get paid.
The scheme starts with a ransom demand in return for the decryption key and follows up with an extortion mechanism.
In this stage, the malicious actor will reveal a small amount of the encrypted data, with the threat of releasing additional material if the ransom is not paid.
To penetrate a victim’s systems Conti ransomware operators will employ a wide variety of tactics.
The hackers will usually begin by trying to persuade an employee to hand out credentials, usually using a social engineering approach.
Sometimes they might also attempt to exploit vulnerable firewalls or attack the internet-facing RDP (Remote Desktop Protocol) servers.
After establishing network access, the attackers will usually try to gain access to a domain admin account.
This will allow them to run the ransomware code. At this moment they will also try to gain access to any privileged accounts that might allow them to steal important information (including backups). They may try to deactivate security management software in some situations so that they may move laterally around the network without being noticed.
To help them organize an attack, Conti ransomware attackers will generally scan your network for servers, endpoints, backups, sensitive data, apps, and protection software. They’ll use popular port scanners like ‘Angry IP Scanner’ or ‘Advanced Port Scanner’ to compile a list of IP addresses. Furthermore, they’ll collect a list of server names to look for hints as to what they’re for. A Domain Controller, for example, is likely to be named DC1.
Getting the Credentials
Popular post-exploitation tools like Mimikatz, which dumps credentials from memory, are frequently used by attackers. They could also try to break things on purpose in order to grab the administrator’s credentials when they login to examine the problem.
Intruders may try to install backdoors, allowing them to take their time and return to the network to install other tools and conduct further espionage. Backdoors will also allow them to transfer data to their Command & Control (C&C) servers and monitor network traffic, allowing them to figure out how the victim is recovering from the attack. They’ll frequently utilize programs like AnyDesk and Cobalt Strike to help them with remote access and control, as well as Tor proxies to hide their contact with the C&C server.
Before running the ransomware code, the attackers will aim to steal as much business-critical data as possible. Data discovery technologies are frequently used by attackers to identify sensitive data. As you may expect, an attacker can exfiltrate data in a variety of methods. They can save the files on their own server, transmit them through email, or upload them to one or more anonymous cloud storage containers.
They will launch the ransomware attack once they have exfiltrated as much data as possible, deleted/encrypted any backups, deactivated the necessary security measures. Throughout most circumstances, they will use some sort of remote code execution to distribute the ransomware software while there are no admins online. Batch scripts will be used to loop over the list of identified IP addresses in order to deploy the code to as many servers and endpoints as possible. In other instances, they infect a logon script in a Group Policy Object (GPO), which runs the code every time the computer starts up and joins the domain.
As we previously explained the attackers will often install backdoors to monitor the way in which the victim reacts to the attack. They may also keep an eye on emails to see how the victim plans to go forward with the rehabilitation process. If the victim tries to recover their files in order to avoid paying the ransom, the attackers may initiate a second attack to demonstrate their visibility and influence over the victim’s network.
Conti Ransomware Most Famous Attacks
JVCKenwood is a Japanese multinational electronics company headquartered in Yokohama, Japan that, among others, focuses on car and home electronics, wireless systems for the worldwide consumer electronics market.
The company is one of the most recent victims that suffered a ransomware attack conducted by the Conti ransomware group.
It is believed that Conti has accessed and stolen almost 2TB of information belonging to JVCKenwood, as the company claims to have stolen information on JVCKenwood customers and suppliers.
The ransomware attackers asked for a ransom of $7M not to publish the stolen information and provide a decryptor.
The City of Tulsa
The threat actors deployed a ransomware attack on the City of Tulsa’s network. Tulsa’s infrastructure suffered from a major ransomware attack.
The attack had a massive impact as the city was forced to shut down its network in order to prevent the spread of malware.
This forced mitigation plan – shutting down the network – had however a significant impact on the residents. For a while, they were unable to access the online bill payments systems and other significant e-mail based services and, moreover utility billing services. All this time the City of Tulsa, Tulsa City Council, Tulsa Police, and Tulsa 311 have been taken “down for maintenance”. In other words, the City was forced to shut down all of its systems and disrupt all online services.
The organization was forced to shut down all of its IT systems after suffering a Conti ransomware attack.
The IT outage led to a massive disruption in the country’s healthcare infrastructure, therefore causing limited access to diagnostics and medical records. As you may imagine transcription errors due to handwritten notes started to occur, and slow response times to healthcare visits were more often than ever.
The Conti gang claimed to have had access to the HSE network for two weeks and allegedly have stolen 700 GB of unencrypted files, including patient info and employee info, contracts, financial statements, payroll, and more.
Conti said they would provide HSE with a decryptor and also delete the stolen data if a ransom of $19,999,000 is paid.
According to the Ransomwhere project, Conti is an extremely prolific threat actor managing to obtain more than $50 Million.
Following the invasion of Ukraine, a member of the Conti ransomware group believed to be of Ukrainian origin, disclosed the gang’s internal correspondence after the organization’s leaders wrote a pro-Russian statement on their official website.
393 JSON files containing over 60,000 internal chats stolen from the Conti and Ryuk ransomware gang’s private, encrypted XMPP chat server were disclosed by a Ukrainian researcher known as “ContiLeaks.”
The conversations provided an invaluable amount of information on the cybercrime organization, including bitcoin addresses, how the organization is organized as a business, evading law enforcement, how they conduct their attacks, and much more.
ContiLeaks proceeded to release more information after that, including the gang’s administrative panel source code, the BazarBackdoor API, photos of storage servers, and other stuff.
A password-protected ZIP containing the source code for the Conti ransomware encryptor, decryptor, and constructor, all of which could be downloaded for free, was also leaked.
What Can You Do to Protect Your Endpoints Against Conti Ransomware?
Here is a quick list to get you started. You can check this article for a more detailed approach on ransomware prevention.
Patching your operating systems, software, and firmware as soon as manufacturers offer updates is critical.
Update passwords on a regular basis.
Avoid using the same password for several accounts and use multi-factor authentication
Deactivate any ports that aren’t in use
Educate your employees to avoid questionable emails.
With the right knowledge and proper practices, as well as a reliable suite of solutions, staying safe from data breaches can come easy.
As always, Heimdal™ Security can help you with the latter. If you want to know more about which of our company products are best suited for your needs, don’t hesitate to contact us at email@example.com or book a demo.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.