Best Practices to Protect Against Conti Ransomware, from Case Study to Recovery

Part I — Conti Ransomware Case Study

Fig 1. A screenshot of CyCraft AIR’s initial automated IR report of the customer’s environment.
Fig 2. Cyber situation graph of customer’s affected environment

First Wave Operation

Fig 3. CobaltStrike DLL Side Loading
Fig 4. CobaltStrike Beacon oci.dll via DLL SideLoading
Fig 5. PSEXEC and RAR
Fig 6. Procdump execution
Fig 7. Process tree to launch ransomware
Fig 8. Command-line information
Fig 9. Conti Ransomware — 1
Fig 10. Conti Ransomware — 2
Fig 11. Timeline Analysis in EP5
Fig 12. Execution Event for Launching Ransomware

CobaltStrike Config

BeaconType — HTTPS
Port — 443
SleepTime — 5000
MaxGetSize — 1401323
Jitter — 10
MaxDNS — 235
PublicKey — b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<”\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'C2Server — arcnew.com,/us/ky/louisville/312-s-fourth-st.htmlUserAgent — Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko)
HttpPostUri — /OrderEntryService.asmx/AddOrderLineHttpGet_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://locations.smashburger.com/us/ky/louisville.html
Connection: close
Cookie
HttpPost_Metadata —
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Cookie
SpawnTo — b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'PipeName -
DNS_Idle — 8.8.8.8
DNS_Sleep — 0
SSH_Host — None
SSH_Port — None
SSH_Username — None
SSH_Password_Plaintext — None
SSH_Password_Pubkey — None
HttpGet_Verb — GET
HttpPost_Verb — POST
HttpPostChunk — 0
Spawnto_x86 — %windir%\syswow64\mstsc.exe
Spawnto_x64 — %windir%\sysnative\mstsc.exe
CryptoScheme — 0
Proxy_Config — None
Proxy_User — None
Proxy_Password — None
Proxy_Behavior — Use IE settings
Watermark — 0
bStageCleanup — True
bCFGCaution — True
KillDate — 0
bProcInject_StartRWX — True
bProcInject_UseRWX — False
bProcInject_MinAllocSize — 16700
ProcInject_PrependAppend_x86 — b’\x90\x90\x90'
Empty
ProcInject_PrependAppend_x64 — b’\x90\x90\x90'
Empty
ProcInject_Execute —
ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod — NtMapViewOfSection
bUsesCookies — True
HostHeader -

Second Wave Operation

  • 2020–12–06 07:32:00 DC-2, C:\ProgramData\left.dll
  • 2020–12–06 08:04:18 DC-2, C:\ProgramData\left.dll,StartW
  • 2020–12–06 09:10:41 AP-1, C:\ProgramData\left.dll
  • 2020–12–06 10:12:11 EP-7 , C:\ProgramData\rez64.dll
  • 2020–12–07 07:36:53 DC-2, C:\ProgramData\rez64.dll,StartW
  • 2020–12–07 07:42:33 DC-2, C:\ProgramData\sql.dll
  • 2020–12–07 10:42:07 AP-1, C:\ProgramData\sql.dll
Fig 13. Time Bomb for Conti Ransomware
Fig 14. The other privilege escalation commands
Fig 15. Discussion of Conti in Twitter @PeterM

Part II — Brief Analysis of Conti Ransomware

Sped ​​up Encryption

Increased Number of Encrypted Files Per Attack

Detection Evasion Techniques

IoC List

Hashes

eb3fbab995fe3d4c57d4859f1268876c
68fe03eb79f5813dccb006699dd1f468b32a4d9e
5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
0a31b41b97eec43f1fa2f477dc881b35
67310359595875992eec3f7cde96fd126e5a0f56
ab46cd9c8281c665c2400a14ead3a49eb3068b4871ef4b86513a009b20c28e0d
2588c7551246da0049be325015480ee5
10fd36feae808a3a8c7375611c0099a9a75044ab
7c8868721c86228a3567ebe77460445e1a812270180bcf5a5020a86afa0ff708
2a084ac8d6f8ce3c0f088e594dd9344a
b4ca2e13aace6b79b91aa92f2ce6630418a9e598
0a65dcccffb00c2874041401c137d13624ad470fc3980dfba16c282155adf40d
f971660ac1331a37cbbfa68ab3aedb76
36537644eca6bb6ab9e83a5fd5b68ae7
76B6C7BFA9CDF229E858FBBB2306ADB5
0A31B41B97EEC43F1FA2F477DC881B35
6E0AF9590C71328A7197377EA5CCB23B
4385E56300890FFDE03A8F553A6B07C1

C2 Information

IoC                  | Type
173[.]234.155.85 | C2 IP
arcnew[.]com | C2 Domain
74[.]118.138.144 | C2 IP

Further Research on Conti Ransomware

Medium Article: Conti Ransomeware in Taiwan

Part III — Best Practices for Enterprises Today

1. Do Not Pay the Ransom

“Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

2. Endpoint Security

3. Data Retention & Data Recovery

Useful Tips for Better Data Retention & Recovery

  • Understand what data you have, and define specific policies for each. Attackers typically prioritize data from Human Resources (HR), Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), or Financial-related Information(FI).
  • Mounting multiple network-attached storage (NAS) is not an effective backup remediation strategy. However, meticulous tracking of each backup version is extremely helpful. File synchronization tools are your friends.
  • Sharing folders via Network Drive without proper access control may increase your day-to-day productivity, but it is extremely insecure. Sharing folders with multiple users and devices increases the likelihood of ransomware encrypting those files. Even worse, in cases where several machines are infected, files in a shared folder may be encrypted numerous times, increasing the difficulty to decrypt or even making it impossible to recover at all.
  • Once hit, accept that downtown could be longer than expected. At this point, thoroughness of security should take priority over efficiency or usability.
  • Once hit by ransomware, recovering from damage and resuming day-to-day business operations are always paramount; however, preventing the next intrusion (which has been known to happen, especially in targeted ransomware attacks) is also important. Nobody wants to lose all their progress and start all over again.
  • Resuming services is the first priority; however, preserving application logs, memory snapshots, or even whole disk dumps is necessary for a thorough and successful IR investigation. The scorched earth approach could aid you in getting clean faster; however, it also hinders you and the IR team in answering some of the more important questions: What was the initial access point? How did the attackers remain undetected? How long were they in your system? What endpoints did the attackers have access to? Are any of your partners in your supply chain affected?
  • Prioritize your remediation policy according to the importance of the endpoints or assets.
  • Endpoints that do not contain sensitive data should still be carefully isolated until remediation is completed to prevent further diffusion. Keeping the endpoints on, as opposed to off, could help with providing a more thorough and detailed IR report.
  • Simply shutting down an endpoint is not an effective method as the ransomware could have hooked onto the system shutdown procedure, allowing the ransomware to clean up after itself and remove related artifacts to increase its stealth.

4. Continuous Incident Response

Everything Starts From Security

Engage with CyCraft

Meet your cyber defense needs in the 2020s by engaging CyCraft at engage@cycraft.com

Additional Resources

  • Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
  • Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
  • Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
  • Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
  • New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
  • Our CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyCraft Technology Corp

CyCraft Technology Corp

CyCraft automates SOC ops for the Fortune Global 500, national govs, & SMEs with MDR, IR, & threat hunting solutions. Learn more at CyCraft.com