Best Practices to Protect Against Conti Ransomware, from Case Study to Recovery
Carrying on from our recent work on Prometheus Ransomware, we have new thoughts and intelligence to share on Conti Ransomware. However, considering the current climate and chatter across the global cyber landscape, we thought it best to also discuss how enterprises today should approach best practices regarding protection against ransomware.
Part I — Conti Ransomware Case Study
Part II — Brief Analysis of Conti Ransomware
Part III — Best Practices for Enterprises Today
Part I — Conti Ransomware Case Study
When our post-breach Digital Forensic Incident Response (DFIR) investigation began, several domain controllers (DC) had already been compromised; a large amount of data had also been encrypted and exfiltrated as well.
Our investigation was further complicated due to an affected DC being reinstalled unexpectedly as well as the active directory (AD) not being directly managed by the customer but through a 3rd party IT service provider.
This campaign consisted of two main waves of attacks.
First Wave Operation
As soon as we began our investigation, we immediately detected an oci.dll backdoor on an endpoint. It was still active.
The oci.dll functioned as a CobaltStrike Beacon. It’s very common for threat actors to leverage msdtc.exe to side-load a malign dll (such as oce.dll) in order to evade detection and maintain persistence.
On the above dates in October, the attackers attempted to execute PSEXEC to conduct lateral movement and RAR for data compression.
The attackers executed PROCDUMP to dump the memory of lsass.exe, which contained Windows authentication information. Via offline brute-force, the attackers could have harvested credentials of high-privileged accounts.
On endpoint EP-5, the attackers used lpg.dll as the main backdoor. Later, the WMI and SCHTASKS were utilized for initiating a series of attacks and then laterally moving to other endpoints.
On the customer-controlled AD server, DC-1, several artifacts regarding lateral movement were found between the dates of 11/20 and 11/21. Malware was implanted to other 4 endpoints: EP-5, EP-4, EP-3, and EP-6.
Several files were remotely copied to endpoint EP-5 along with several logon activities from the compromised DC server.
Afterward, the malware connected back to C2, 173[.]234.155.85 (arcnew[.]com).
BeaconType — HTTPS
Port — 443
SleepTime — 5000
MaxGetSize — 1401323
Jitter — 10
MaxDNS — 235PublicKey — b’0\x81\x9f0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x81\x8d\x000\x81\x89\x02\x81\x81\x00\x8b6g;+\r(\xe3\xbb\xfa\xab&\xab\xf5/\xa0\x83dw\xaf\x81xd4cX\x8b\xcev&<”\x93}\xdet\n\xb0\x10\xdc\x03\xc8\xc0\xe52P\x80\x02\xd1\xc0M-\xe9C\xb6\xa7\x01\x943b\xe4Nj~\xd3)O\x02\xff\xc7\xe0\xa1\xa0\x92=\xb2@ \xf7\x8c\x98\xe3%\x07\x8c\\\xed\xe7/\xbdRO\x90\x1d\xb5R\x7f\x15\x84\xbe\x872\xdf\xd8\x17]”\x1d\xc7r\xdd4\x12Y\xa0r\x15\x8c\x1e\x9e[\x96\xd5\xbfs \xf0}\x02\x03\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'C2Server — arcnew.com,/us/ky/louisville/312-s-fourth-st.htmlUserAgent — Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/537.36 (KHTML, like Gecko)HttpPostUri — /OrderEntryService.asmx/AddOrderLineHttpGet_Metadata —
CookieSpawnTo — b’\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'PipeName -
DNS_Idle — 188.8.131.52
DNS_Sleep — 0
SSH_Host — None
SSH_Port — None
SSH_Username — None
SSH_Password_Plaintext — None
SSH_Password_Pubkey — None
HttpGet_Verb — GET
HttpPost_Verb — POST
HttpPostChunk — 0
Spawnto_x86 — %windir%\syswow64\mstsc.exe
Spawnto_x64 — %windir%\sysnative\mstsc.exe
CryptoScheme — 0
Proxy_Config — None
Proxy_User — None
Proxy_Password — None
Proxy_Behavior — Use IE settings
Watermark — 0
bStageCleanup — True
bCFGCaution — True
KillDate — 0
bProcInject_StartRWX — True
bProcInject_UseRWX — False
bProcInject_MinAllocSize — 16700
ProcInject_PrependAppend_x86 — b’\x90\x90\x90'
ProcInject_PrependAppend_x64 — b’\x90\x90\x90'
ProcInject_AllocationMethod — NtMapViewOfSection
bUsesCookies — True
Second Wave Operation
The second wave of attacks was launched in December, demonstrating the attackers’ persistence and sophistication.
C2 173.34.155[.]85 had been used in the first wave of attacks, connecting to endpoint EP-5; this C2 would be used again in the second wave of attacks. The second wave would be launched from one malicious file (rez64.dll) on DC-2.
- 2020–12–06 07:32:00 DC-2, C:\ProgramData\left.dll
- 2020–12–06 08:04:18 DC-2, C:\ProgramData\left.dll,StartW
- 2020–12–06 09:10:41 AP-1, C:\ProgramData\left.dll
- 2020–12–06 10:12:11 EP-7 , C:\ProgramData\rez64.dll
- 2020–12–07 07:36:53 DC-2, C:\ProgramData\rez64.dll,StartW
- 2020–12–07 07:42:33 DC-2, C:\ProgramData\sql.dll
- 2020–12–07 10:42:07 AP-1, C:\ProgramData\sql.dll
The attack compromised AP-1 and utilized both WMIC and SCHTASKS to dump lsass processes on remote host EP-8. The corresponding process dump activities seen on EP-8 are listed below.
The attackers scheduled the ransomware to launch at midnight on 1 January 2021. In order to fully prevent this attack, we reversed the Conti ransomware variant and developed a digital vaccine against Conti, increasing the victim’s resilience and preventing any further attacks of a similar nature on their system.
In addition, we observed that in the second wave of attacks in December, the attackers also exploited FortiGate VPNs. Cybersecurity researcher and active Windows screenshot enthusiast, PeterM, tweeted in January of the same discovery, suggesting that the threat actor behind these attacks had been abusing this technique across the globe. In August 2021, The Record reported leaked material regarding affiliate partners of Conti. After reviewing these documents, we found many similar or identical activities in our case.
Part II — Brief Analysis of Conti Ransomware
While still relatively young in the ransomware game, Conti ransomware has proven to be quite advanced compared to other active ransomware today. We will now take a closer look into three aspects of Conti ransomware that highlight the severity of this threat: sped-up encryption, an increased number of encrypted files, and detection evasion techniques.
Sped up Encryption
Increased strength of the encryption key
Prioritizes speed; leverages encryption algorithm ChaCha
Chooses different encryption methods according to the size of the targeted file
Conti ransomware leverages ChaCha encryption, which is able to encrypt faster than other algorithms, such as AES. Before encrypting the targeted files, Conti ransomware will generate an independent encryption key for each file and use RSA to not only encrypt the key but also write it at the end of the file together with the targeted file’s original file size.
Encrypting larger files typically takes more time. Conti Ransomware’s solution to this is to adopt different encryption methods for files of different sizes and extensions. High-value targets will need to be completely encrypted; high-value targets could include database files, HR endpoints, Enterprise Resource Planning (ERP), or Manufacturing Execution Systems (MES). Files that are too large (such as disk images or files larger than 5MB) will only be partially encrypted.
Modern CPUs typically have multiple cores. In order to use computing resources more efficiently, Conti ransomware will typically use independent threads while searching for encryption targets and create the same number of threads as the number of CPU cores, thus allowing for the ransomware to use multiple cores to encrypt files simultaneously. This increased speed of encryption leads directly to the next problem.
Increased Number of Encrypted Files Per Attack
Special unlock system to lock files
Find network drives
Conti ransomware avoids noisy scans of a target environment by port scanning for previously (more commonly used) connected network segments from the ARP cache, locating more connected network drives for encryption, and ultimately encrypting more files. For Files exclusively owned by other applications, Conti ransomware will use Restart Manager to close running programs, allowing for even more files to become encrypted.
Detection Evasion Techniques
Turns off restore and antivirus programs
Program packing, coding
In order to reduce the probability of data being restored, Conti ransomware will use WMIC to delete shadow copies. The ransomware also utilizes a unique program obfuscation strategy. Each string in the program will be decrypted using a unique algorithm, and none of the import table contents will be hidden. While dynamically referencing an API, a variant of MurmurHash will be used to locate the API, making static features challenging to observe.
IoC | Type
173[.]234.155.85 | C2 IP
arcnew[.]com | C2 Domain
74[.]118.138.144 | C2 IP
Further Research on Conti Ransomware
For a further granular forensic breakdown of Conti ransomware, its obfuscation techniques, execution flow, encryption scheme, as well as the observed attacks, read our report on Conti Ransomware in Taiwan.
Part III — Best Practices for Enterprises Today
Security is no longer the sole responsibility of one department or one person; it requires effort and diligence from everyone. Even opening one malicious file/link from one email could give multiple attackers and threat groups access to your system.
Organizations no longer face lone hackers — or even hacker groups — but face the collaborative efforts of a thriving underground economy of script kiddies, ransomware gangs, nation-states, access brokers, cryptocurrency launderers, zero-day brokers, and more.
Here is a quick, actionable list of best practices to aid you in increasing your cyber resilience against ransomware attacks.
1. Do Not Pay the Ransom
Don’t do it. Paying the ransom does not guarantee access to a working decryption key, nor does it guarantee the attackers won’t just launch yet another ransomware attack on you or releasing your exfiltrated data out into the open.
Although the cybersecurity community strongly disapproves of ransom payment, some leadership do choose to go this route. Targeted ransomware attacks typically do a lot of reconnaissance prior to launching their attack and could ask anywhere from 5 to 15 percent of your annual income. Often, the support team (collections team) for the attackers will recommend the services of a negotiator that they’ve worked with in the past to help represent you.
While some cyber insurance policies cover ransomware payments, this can easily backfire for organizations as it can encourage targeted ransomware attacks as the attackers know their target will pay the ransom.
One of the founding members of REvil, known as Unknown, was asked in a recent interview if REvil targets organizations that have cyber insurance.
“Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
However, the tide is changing. AXA, a French insurance company, stated they would no longer cover ransomware payments. In addition, now, in the aftermath of the SolarWinds incident, the U.S. has begun heavily investing in cybersecurity and ransomware prevention with stricter laws requiring companies hit with ransomware to report to the government immediately.
2. Endpoint Security
While a zero-trust environment with limited and restricted user access helps prevent many attacks, preventive solutions (such as NGAV, firewalls, of threat intelligence gateways) do inevitably fail.
Some cybersecurity vendors use a metric known as “breakout time” (or however they wish to name it) which measures the time from the first initial access to the first lateral movement. The average breakout time for an attack is approximately 2 hours.
Only a mature endpoint detection and response system is capable of consistently preventing intrusions from escalating into business-altering incidents.
Endpoint security solutions not only reduce MTTD (mean-time-to-detect) and MTTR (mean-time-to-respond) but also generate large amounts of telemetry data. APT-level attacks (which now include ransomware and supply chain attack campaigns) can go months without detection. Without telemetry generating security tools coupled with long-term data retention, researchers and responders (DFIR services) won’t have much to work with in a post-breach investigation.
3. Data Retention & Data Recovery
Is your team experienced in fully restoring your entire environment from backups? If not, we strongly recommend routinely executing your data recovery plan.
Having backups has been standard operating procedure for decades; however, many organizations do not have rehearsed remediation protocols in place nor have real estimates (and not just wild speculations) on how long it would take to rebuild their networks from backups. Lacking a proper backup protocol defeats the purpose of having backups.
Blue Team drills should be a part of every SOC, and these drills should include full restoration of an environment from backups. Drills help locate procedural holes in your defense.
Ransomware typically searches for and encrypts files in network drives. In a few cases we’ve observed, the victim had non-isolated backups, which unfortunately allowed the attackers to encrypt the backups. In some cases, the backups were isolated/air-gapped; however, the digital key to decrypt the backups was located in the local file-sharing network that got encrypted by the ransomware. In one case, the backups and digital key were successfully air-gapped from the targeted network; however, they were located offsite hundreds of kilometers away, further adding major logistical difficulties for full remediation.
Useful Tips for Better Data Retention & Recovery
- Understand what data you have, and define specific policies for each. Attackers typically prioritize data from Human Resources (HR), Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), or Financial-related Information(FI).
- Mounting multiple network-attached storage (NAS) is not an effective backup remediation strategy. However, meticulous tracking of each backup version is extremely helpful. File synchronization tools are your friends.
- Sharing folders via Network Drive without proper access control may increase your day-to-day productivity, but it is extremely insecure. Sharing folders with multiple users and devices increases the likelihood of ransomware encrypting those files. Even worse, in cases where several machines are infected, files in a shared folder may be encrypted numerous times, increasing the difficulty to decrypt or even making it impossible to recover at all.
- Once hit, accept that downtown could be longer than expected. At this point, thoroughness of security should take priority over efficiency or usability.
- Once hit by ransomware, recovering from damage and resuming day-to-day business operations are always paramount; however, preventing the next intrusion (which has been known to happen, especially in targeted ransomware attacks) is also important. Nobody wants to lose all their progress and start all over again.
- Resuming services is the first priority; however, preserving application logs, memory snapshots, or even whole disk dumps is necessary for a thorough and successful IR investigation. The scorched earth approach could aid you in getting clean faster; however, it also hinders you and the IR team in answering some of the more important questions: What was the initial access point? How did the attackers remain undetected? How long were they in your system? What endpoints did the attackers have access to? Are any of your partners in your supply chain affected?
- Prioritize your remediation policy according to the importance of the endpoints or assets.
- Endpoints that do not contain sensitive data should still be carefully isolated until remediation is completed to prevent further diffusion. Keeping the endpoints on, as opposed to off, could help with providing a more thorough and detailed IR report.
- Simply shutting down an endpoint is not an effective method as the ransomware could have hooked onto the system shutdown procedure, allowing the ransomware to clean up after itself and remove related artifacts to increase its stealth.
4. Continuous Incident Response
Ransomware attacks (especially the big game hunters) typically lurk in their target’s environment for quite some time prior to the launch of the ransomware attack. In order to maintain their foothold, these attackers tend to mask their entry vector and implant several backdoors.
Incident response investigations are never a one-and-done solution when it comes to ransomware. If your IR investigation fails to locate just one backdoor, your adversaries will only return in a matter of time. Therefore, a continuous IR solution with robust monitoring is needed to rapidly identify the root cause of attacks and root out each stealthy backdoor.
Maintaining a long-term monitoring defense after the initial IR investigation would reveal an adversary’s hidden backdoor before/when the attackers use it, thus revealing their initial access vector to the defenders.
A mature detection and response system is needed to reduce both MTTD (mean-time-to-detection) and MTTR (mean-time-to-respond), ensuring your organization remains resilient and healthy.
Everything Starts From Security
CyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend from all manner of modern security threats with real-time protection and visibility across the organization.
Engage with CyCraft
CyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being Fast / Accurate / Simple / Thorough.
CyCraft powers SOCs using innovative AI-driven technology to automate information security protection with built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat intelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC) operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. Everything Starts From Security.
Meet your cyber defense needs in the 2020s by engaging CyCraft at firstname.lastname@example.org
- Out of the 47 Representative AI Startups listed in Gartner’s AI Market Guide, 7 are based in Taiwan, and 5 are based in Hong Kong. But only 1 of the 47 Representative AI Startups focused on cybersecurity products and services — CyCraft.
- Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the world.
- Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
- Learn more about cybersecurity in our CyCraft Classroom Series. Our latest article, “What is Managed Detection and Response (MDR)?” teaches the benefits of MDR, its unique selling points, and how to make better-informed decisions when choosing an MDR service or vendor.
- New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough introductory guide to understanding the results.
- Our CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration changes and zero delayed detections straight out of the box.