Threat Thursday: Conti Ransoms Over 400 Organizations Worldwide

Threat Thursday: Conti Ransoms Over 400 Organizations Worldwide

RESEARCH & INTELLIGENCE / 05.27.21 / The BlackBerry Research and Intelligence Team

• Share on Twitter
• Share on Facebook
• Share on Linked In
• Email

Summary

First encountered in mid-2020, Conti ransomware has made international headlines since its initial discovery. We have witnessed attacks against industries such as manufacturing, insurance, and healthcare service providers across Japan, Europe, and the U.S. Threat actors recently released a decryptor for this threat, which can help recover files altered by a specific strain of Conti.

Conti is offered as a Ransomware as a Service (RaaS), which is a popular way for threat actors to distribute and sell their malicious services via underground forums. As this threat is offered as a saleable service, it is customizable and thus its functionality can be altered from one infection to another.

With the ceasing of operations of another infamous ransomware known as Ryuk, Conti has seen a rise in both position and popularity. It is widely regarded as the ransomware that took Ryuk's former place as one of the most concerning ransomware threats in-the-wild.

The Rise of 'Double Extortion' Ransomware

In late 2019, the ransomware family known as Maze was the first to be successful using a 'double-extortion' ploy, which implemented an initial phase of data gathering and information exfiltration before initiation of the traditional tactic of encryption. The aim of this new strategy was to gain leverage that would force victims to pay a ransom.

The success of this technique has led to its widespread adoption by many emerging ransomware families, including the infamous REvil ransomware, and also Conti. The attack chain of a 'double-extortion' ransomware differs from other types, in that a threat actor will initially perform reconnaissance and network intrusion before attempting to exfiltrate sensitive information from the affected organisation.

These initial reconnaissance and intrusion steps can be conducted over an extended time frame. Only after the data has been stolen will the attackers begin encrypting files with ransomware.

This technique is extremely troublesome for an affected organisation, as the threat actor has possession of their sensitive information as well as control of their devices via the ransomware. This greatly increases both the impact and risk posed to the victim. This tactic forces the victim to pay the ransom fee or risk having stolen confidential information leaked or sold to the highest underground bidder for further malicious gain.

Leaking of stolen information tends to be carried out via a 'leak site' where the threat actor will publicly release highly confidential records and information over time. This is usually done via a website hosted by the attacker, with the aim of putting further pressure on the victim to give into their demands.

Conti Ransomware

As one of its first actions, Conti will attempt to tamper with a victim machine's Volume Shadow Copies. This is an internal backup technology included in Windows®-based operating systems. Attackers do this to thwart attempts by victims to easily reclaim encrypted data and avoid having to pay the ransom.

The ransomware running on an affected device will also attempt to propagate on a network to spread its influence and damage. Conti achieves this by spreading laterally across a network, scanning the device's Local Network for any open SMB Network Shares.

Once it begins its encryption routine, Conti will enumerate through all attached storage devices. Once a file is marked to be encrypted, the malware appends filenames with a .CONTI or a .[A-Z]{5} file extension to confirm infection. The file extension that the malware appends varies from sample to sample, with current versions no longer using the appended filename .CONTI.

After the successful encryption of a directory or storage device the threat will drop a ransom note titled either 'Conti_README.txt' or 'readme.txt'.

Due to multiple variants of Conti being used in the wild, the naming convention of Conti ransomware can vary significantly, even from sample to sample.

A Change of Heart?

On May 20^th 2021, after international anger and condemnation of the most recent attacks carried out by Conti, the malware group responsible for the attack released a decryption key for the ransomware to the public. The group had initially demanded a ransom sum of €20,000,000 for said key before releasing it.

The key, when executed on affected systems, will attempt to unlock all encrypted files and restore systems to some form of operation.

Decryptor Tool

On the release of the decryptor key, the BlackBerry Threat Research Team analysed the tool created by the attackers. Though we were initially sceptical of this change of heart, the tool was found to indeed be benign and intended for this purpose.

The decryptor has no provision for command-line arguments to control or modify behaviour and functionality.

The decryptor spawns multiple decryption threads, as well as threads for network scanning and network share enumeration. The tool does have networking capabilities via Port 445, but this is a direct consequence of network scanning, share enumeration, file enumeration and subsequent file decryption.

It is further noted the tool does not have the ability to remove the ransom notes left on the directories that the ransomware had initially affected.

Another Health Service Victim

The same day as the threat group released a decryption key tool, the FBI released a flash alert noting that they had identified at least 16 major Conti ransomware attacks targeting American healthcare and First Responder network systems in the last year.

Operating System:

The following describes the Operating Systems that are at risk of this threat:

Impact:

The following describes the level of impact along with the likelihood of risk this threat currently presents:

Technical Analysis:

Conti has several different variants which vary in capabilities, obfuscation, and size, to maximize its reach. Thus far it has focused solely on Windows-based devices.

Conti ransomware uses various mechanisms designed to attempt to appear benign to the victim. Different variants do this by masquerading themselves as legitimate programs, utilities, or documents.

Like most malware, Conti is not limited to one form of icon:

Figure 1: Example of Conti masquerading as a PDF document.

Infection Vector

Since its inception in 2020, Conti has already seen multiple iterations, with each new variant advancing on its predecessor. The infection vectors utilized by Conti have also changed depending on the variant of the malware.

While attacks are not always targeted, threat actors can also customize an attack to a targeted victim. This customization is done to further increase the damage the threat can achieve.

Conti has been known to be used by other known malware families. Through spam phishing emails, a victim could initially become infected with the known downloader, Bazar Loader. Once in a victim's environment, this malware could then download and deploy Conti.

Conti has also been seen being deployed after an initial IcedID infection, with threat actors deploying the ransomware after achieving their initial goals on the affected systems.

Prior to Infection

After a system has been infected and breached by other malware, a threat actor can attempt to perform reconnaissance on the systems they have exploited.

These pre-ransom activities can include activities such as the following:

• Domain discovery
• Privilege escalation
• Lateral movement
• Port scanning
• Information exfiltration

These ends can be achieved in multiple ways, and they can continue for extended periods of time depending on the target and the goals of the initial attack.

Prior to infection, threat actors have abused Cobalt Strike beacons to achieve these malicious activities before deploying other batch scripts (.BAT) to copy the malware to vulnerable endpoints on the victim's systems. To achieve its malicious goals, Conti can abuse localised Windows-based tools like vssadmin.exe and wmic.exe.

Infection Chain

Upon execution, Conti ransomware first checks the computer name belonging to the victim, via the registry:

Figure 2: Conti uses Registry Queries to obtain device information.

Conti will then attempt to tamper with the affected device's Volume Shadow Copies. The overall goal of this behaviour is to make sure these files are not easily recoverable. It can achieve this end in multiple ways.

­Some variants of Conti have been observed performing this action by using the internal Windows based program WMIC.exe:

Command:
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where 'ID='{[A-Z0-9]{8} - [A-Z0-9]{4} [A-Z0-9]{4} [A-Z0-9]{4} [A-Z0-9]{12}'' delete

Other variants of this ransomware will use cmd.exe to attempt to resize the shadow storage on the local drives. They will then attempt to change the shadow storage to have a maximum size of 401MB before then changing this value to unbounded. This tactic is used to make sure that all potential back-up data is non-recoverable from the device's shadow copies. The threat will enumerate this process on all drives from drive (C:) through drive (H:).

After drive (H:), it will then delete the shadow copies:

Figure 3: Conti using vssadmin to resize shadowstorage to 401MB.

Figure 4: Changing the shadowstorage to unbounded.

Figure 5: This will enumerate until (h:\\) is done.

Figure 6: Conti will delete all Shadow Copies, preventing easy on-device recovery.

Once the Shadow Copies are deleted, variants of the threat attempt to move in tandem to spread within the network while performing the ransomware payload. They scan the local network for any open SMB connections that would allow them to move laterally across the victim's compromised network, while also beginning the encryption stage of the attack:

Figure 7: Attempts at lateral movement by Conti.

The ransomware will attempt to increase its speed of encryption by creating multiple threads for itself. As a result, its encryption and enumeration processes on the device are notably fast. As a result, this causes an impact on the affected device's CPU usage, functionality, and performance. The threat attempts to operate as quickly as possible, disregarding limitations of the device:

Figure 8: Conti Thread Create.

In earlier variants of the Conti ransomware, the original file-extension appended to the affected files was .CONTI; however, some new variants use a randomly-generated five-letter word .[A-Z]{5} instead:

Figure 9: Example of prior Conti encrypted file extension.

Figure 10: More recent naming scheme taken up by Conti.

After a directory is enumerated by the malware and all included file-types have been encrypted, the malware will drop a ransom note into each directory. The content of the note has been observed to change between variants:

Figure 11: Example of CONTI_README.txt.

Figure 12: Example of readme.txt/

Though the ransomware encrypts TXT files, it has exclusions to prevent its ransom notes from being affected.

Should a victim navigate to the URL provided within the newer variant's ransom note, it takes them to a page titled 'CONTI Recovery service' which prompts them to upload the readme.txt file in order to make contact with the attacker:

Figure 13: Conti Recovery Service.

Targeted File Extensions:

Conti will target and attempt to encrypt all file-types and file-extensions, except for a select few specific exclusions. As Conti is sold as Ransomware-as-a-Service (RaaS), there could be slight alterations even within a variant of the malware known as a strain. Though Conti tends to target a vast array of file-types, some exempted file-types can vary. It has been noted that some strains could affect one file-type while another might not, depending on the both the variant and strain of the malware.

This ransomware will also exclude files it has already encrypted to prevent double encryption, as this could result in complete data-loss that would nullify its ransom goals. Likewise, Conti also tends to avoid affecting files that could cause catastrophic system damage.

Exempted File Types:

The following are files which are excluded from encryption by Conti:

• CONTI_readme.txt / readme.txt
  Ransom note dropped in every directory upon encryption of its contents.
  
  
• *.[A-Z]{5} / *.CONTI
  Appended ransom file-extension signifying encryption.

These file-types are exempted from encryption, though the full list can vary in different variants of Conti:

• *.exe
• *.dll
• *.sys
• *.msi
• *.lnk

Exempted Folders:

The following are examples of folders exempted by variants of Conti:

• {C:\}Windows
• {C:\}Boot
• {C:\}winnt
• {C:\}temp
• {C:\}tmp

Key Decryptor Analysis

Attackers release a decryption key to unlock affected devices and their files. If used on a system affected with this specific strain of Conti, the key will execute a decryption routine and unlock all initial files affected by the ransomware.

Both static and dynamic analysis conducted on the decryptor showed no signs of function or capability beyond decrypting local and network-based files. There is no unpacking behaviour or facility for dynamic shell-code execution observed by the decryptor, and it provides no provision for additional command-line arguments to control and modify behaviour.

The decryptor spawns multiple decryption threads, as well as threads for network scanning and network share enumeration:

Figure 14: Capture of SMBv2 traffic the decryptor achieves.

Analysis of SMBv2 traffic captured during decryptor execution with encrypted files shows network file decryption occurring for files ending in '.FEEDC'. This means if a device was affected by a variant or strain of Conti that did not append with this filename, this decryption tool would not work.

SMBv2 file request functions stipulate only to open an existing file, or else to fail. No recorded attempts by the tool to copy itself via network shares were noted. Based on observed behaviour, the traffic seen on Port 445 is a direct consequence of network scanning, share enumeration, file enumeration and subsequent file decryption.

Indicators of Compromise (IoCs):

The following system changes are indicative of the compromise by Conti:

Mutex
[A-Z0-9]{52} - Conti V.3 Mutex

Older versions of Conti have use different naming conventions for its mutex. The naming convention of the mutex is static per sample but varies on a sample-to-sample basis.

File System
The following file system changes are made by Conti:

Created:
Readme.txt - Variation of Ransom Note.
CONTI_README.txt - Variation of Ransom Note.

Modified:
.CONTI - Variation of appended File-Extension.
.[A-Z]{5} - Variation of appended File-Extension.

Deleted:
Volume Shadow Copy.

BlackBerry Assistance

If you're battling this or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.

• Share on Twitter
• Share on Facebook
• Share on Linked In
• Email

Back

Public link

Please use the above public link if you want to share this noodl on another website.